← back
CVE-2023-37580

CVE-2023-37580

CVSS 6.1 MEDIUMEPSS 59.0%● KEVCWE-79
Vexday Risk Score
70High priority
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 6.1EPSS 59.0%KEV simPoC Nuclei simMetasploit Patch
Lifecycle
27 Jul 2023Active exploitation (CISA KEV)
31 Jul 2023Published on NVD
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A security flaw in Zimbra Collaboration Server version 8 allows attackers to inject malicious scripts into the Classic Web Client, potentially stealing user credentials or session information when users view affected pages.

Technical detail

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Server 8.x prior to patch 8.8.15 Patch 41 enables attackers to inject malicious JavaScript code that executes in users' browsers within the Zimbra Classic Web Client context. Exploitation requires user interaction (visiting a malicious link or viewing crafted content), and successful exploitation can lead to session hijacking, credential theft, or unauthorized actions on behalf of the user.

Summary generated and translated by AI from the official description.
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-37580http://www.openwall.com/lists/oss-security/2023/11/17/2