CVE-2023-37580 Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability

Introduction

Zimbra Collaboration Suite (ZCS) is an open-source email collaboration suite widely used by a variety of organizations, including government agencies, universities, and companies. It has been the target of various cyber attacks due to its widespread use. The CVE-2023-37580 is a Cross-Site Scripting (XSS) vulnerability that has been discovered in ZCS. This vulnerability could potentially impact the confidentiality and integrity of user data.

Exploitation in the Wild

This vulnerability has been actively exploited in the wild. Threat actors have been observed leveraging this vulnerability to execute arbitrary code through a crafted script to the /h/autoSaveDraft function. It affects Zimbra Collaboration Suite (ZCS) v.8.8.15. This makes it imperative for organizations using ZCS to take immediate action to mitigate this vulnerability.

MITRE ATT&CK TTPs

The following MITRE ATT&CK TTPs have been associated with this vulnerability:

• T1059.007: JavaScript: The vulnerability allows the execution of arbitrary JavaScript code, which can be used to manipulate or steal sensitive data.
• T1190: Exploit Public-Facing Application: The Zimbra Collaboration Suite is a public-facing application, and this vulnerability can be exploited by an attacker to gain unauthorized access to the system.
• T1506: Web Session Cookie: The XSS vulnerability could potentially be used to steal web session cookies, leading to session hijacking.

Mitigation Instructions

Zimbra has already taken immediate action to address the issue and has provided instructions on how to manually apply the fix. The steps to apply the fix manually on all of your mailbox nodes are as follows:

1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto.
2. Edit this file and go to line number 40.
3. Update the parameter value as below: <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>.
   • Before the update, the line appeared as: <input name="st" type="hidden" value="${param.st}"/>.
   • After the update, the line should appear as: <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>.

Note: Zimbra service restart is not required so you can do it without any downtime.

Further Reading

• Zimbra Security Center
• Security Update: Zimbra Collaboration Suite Version 8.8.15 [Important]
• Critical XSS vulnerability in Zimbra exploited in the wild (CVE-2023-34192) – Help Net Security