CVE-2024-33533

12.08.2024, 15:15

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file and crafting a URL containing its location in the packages parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
mitre	CNA	---				---
CISA-ADP	ADP	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 16%

Vendor	Product	Version
zimbra	collaboration	10.0.0 ≤ 𝑥 < 10.0.8
zimbra	collaboration	9.0.0
zimbra	collaboration	9.0.0:p0
zimbra	collaboration	9.0.0:p1
zimbra	collaboration	9.0.0:p10
zimbra	collaboration	9.0.0:p11
zimbra	collaboration	9.0.0:p12
zimbra	collaboration	9.0.0:p13
zimbra	collaboration	9.0.0:p14
zimbra	collaboration	9.0.0:p15
zimbra	collaboration	9.0.0:p16
zimbra	collaboration	9.0.0:p19
zimbra	collaboration	9.0.0:p2
zimbra	collaboration	9.0.0:p20
zimbra	collaboration	9.0.0:p21
zimbra	collaboration	9.0.0:p23
zimbra	collaboration	9.0.0:p24
zimbra	collaboration	9.0.0:p24.1
zimbra	collaboration	9.0.0:p25
zimbra	collaboration	9.0.0:p26
zimbra	collaboration	9.0.0:p27
zimbra	collaboration	9.0.0:p3
zimbra	collaboration	9.0.0:p30
zimbra	collaboration	9.0.0:p31
zimbra	collaboration	9.0.0:p32
zimbra	collaboration	9.0.0:p33
zimbra	collaboration	9.0.0:p34
zimbra	collaboration	9.0.0:p35
zimbra	collaboration	9.0.0:p36
zimbra	collaboration	9.0.0:p37
zimbra	collaboration	9.0.0:p38
zimbra	collaboration	9.0.0:p39
zimbra	collaboration	9.0.0:p4
zimbra	collaboration	9.0.0:p5
zimbra	collaboration	9.0.0:p6
zimbra	collaboration	9.0.0:p7
zimbra	collaboration	9.0.0:p7.1
zimbra	collaboration	9.0.0:p8
zimbra	collaboration	9.0.0:p9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes