CVE-2018-6882
published 2018-03-27CVE-2018-6882: Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x…
PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-10
Exploited in the wild
EPSS
23.72%
97.5th percentile
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | < 8.7.0 | 8.7.0 |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect vulnerable Zimbra versions by matching CLIENT_VERSION in ZmSettings.js against known vulnerable version strings (8.7.0, 8.7.5, 8.7.11, 8.8.0, 8.8.6 GA builds). ↗
- →Exploitation is delivered via SMTP (port 25) using a crafted multipart email with a malicious Content-Location header in an attachment part containing an XSS payload (e.g., `http://foo.bar'>`). Monitor inbound SMTP traffic for Content-Location headers containing HTML/JS injection characters. ↗
- →Attackers authenticate to Zimbra via POST to `/` with `loginOp=login` and extract a CSRF token (`window.csrfToken`) and session ID from the response before issuing the SOAP SearchConvRequest. Monitor for automated login + SOAP enumeration sequences. ↗
- →The SOAP exploit request targets `/service/soap/SearchConvRequest` with `fetch`, `html:1`, and a large `max` value. The X-Zimbra-Csrf-Token header is present. Correlate this with prior login activity as part of a multi-step attack chain. ↗
- →The advisory reference at securify.nl provides full technical details of the vulnerability in ZmMailMsgView.getAttachmentLinkHtml. Use it for additional payload patterns. ↗
- ·The Nuclei template requires valid Zimbra credentials (`{{user}}`, `{{pass}}`, `{{mail}}`) and an interactsh callback URL (`{{base}}`). Without these, the multi-step flow (version check → login → SOAP request → SMTP delivery) cannot complete. ↗
- ·The template is marked `intrusive` and requires SMTP port 25 to be accessible from the scanner to the target Zimbra server to deliver the malicious email attachment. ↗
- ·The full exploit flow requires four sequential steps to succeed: HTTP version check, TCP SMTP delivery, HTTP login (with CSRF/session extraction), and HTTP SOAP SearchConvRequest. All four must succeed (`flow: http(1) && tcp(1) && http(2) && http(3)`). ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3rrv-gxmq-5643: Cross-site scripting (XSS) vulnerability in the ZmMailMsgView
ghsa_unreviewed·2022-05-14
CVE-2018-6882 [MEDIUM] CWE-79 GHSA-3rrv-gxmq-5643: Cross-site scripting (XSS) vulnerability in the ZmMailMsgView
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
vulncheck·2018·CVSS 6.1
CVE-2018-6882 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cert.gov.ua/article/39606; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-10
CISA
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
cisa·2022-04-19·CVSS 6.1
CVE-2018-6882 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-6882
Remediation Due Date: 2022-05-10
No detection rules found.
Nuclei
Zimbra Collaboration Suite - Cross-site Scripting
nuclei·CVSS 6.1
CVE-2018-6882 [MEDIUM] Zimbra Collaboration Suite - Cross-site Scripting
Zimbra Collaboration Suite - Cross-site Scripting
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
Template:
id: CVE-2018-6882
info:
name: Zimbra Collaboration Suite - Cross-site Scripting
author: Sourabh-Sahu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
impact: |
Attacke
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2018/Mar/52http://www.securityfocus.com/archive/1/541891/100/0/threadedhttps://bugzilla.zimbra.com/show_bug.cgi?id=108786https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.htmlhttp://seclists.org/fulldisclosure/2018/Mar/52http://www.securityfocus.com/archive/1/541891/100/0/threadedhttps://bugzilla.zimbra.com/show_bug.cgi?id=108786https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6882
2018-03-27
Published
2022-04-19
Added to CISA KEV
Exploited in the wild