CVE-2022-24682 – Zimbra Webmail Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2022-24682
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. Se ha detectado un problema en la funcionalidad Calendar en Zimbra Collaboration Suite 8.8.x versiones anteriores a 8.8.15 parche 30 (actualización 1), como es explotado "in the wild" a partir de diciembre 2021. Un atacante podría colocar HTML que contenga JavaScript ejecutable dentro de los atributos de los elementos. • https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15 https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra • CWE-116: Improper Encoding or Escaping of Output •
CVE-2021-35207
https://notcve.org/view.php?id=CVE-2021-35207
An issue was discovered in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.0 before 9.0.0 Patch 16. An XSS vulnerability exists in the login component of Zimbra Web Client, in which an attacker can execute arbitrary JavaScript by adding executable JavaScript to the loginErrorCode parameter of the login url. Se presenta una vulnerabilidad de redireccionamiento abierto en el servlet /preauth de Zimbra Collaboration Suite versiones hasta 9.0. Para explotar la vulnerabilidad, un atacante necesitaría haber obtenido un token de autenticación válido de Zimbra o un token de preautenticación válido. Una vez obtenido el token, un atacante podría redirigir a un usuario a cualquier URL por medio de isredirect=1&redirectURL= en conjunto con los datos del token (por ejemplo, un valor authtoken= válido) • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-35208
https://notcve.org/view.php?id=CVE-2021-35208
An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. Se ha detectado un problema en el archivo ZmMailMsgView.js en el componente Calendar Invite en Zimbra Collaboration Suite versiones 8.8.x anteriores a 8.8.15 Patch 23. Un atacante podría colocar HTML conteniendo JavaScript ejecutable dentro de los atributos de los elementos. • https://blog.sonarsource.com/zimbra-webmail-compromise-via-email https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-35209
https://notcve.org/view.php?id=CVE-2021-35209
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting). Se ha detectado un problema en el archivo ProxyServlet.java en el servlet /proxy en Zimbra Collaboration Suite versiones 8.8 anteriores a 8.8.15 Patch 23 y versiones 9.x anteriores a 9.0.0 Patch 16. El valor de la cabecera X-Host sobrescribe el valor de la cabecera Host en las peticiones proxy. • https://blog.sonarsource.com/zimbra-webmail-compromise-via-email https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2021-34807
https://notcve.org/view.php?id=CVE-2021-34807
An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL via isredirect=1&redirectURL= in conjunction with the token data (e.g., a valid authtoken= value). Existe una vulnerabilidad de redirección abierta en el servlet /preauth de Zimbra Collaboration Suite hasta la versión 9.0. Para explotar la vulnerabilidad, un atacante necesitaría haber obtenido un token de autentificación válido de Zimbra o un token de preautentificación válido. • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •