cbcvebase.
CVE-2018-6882
published 2018-03-27

CVE-2018-6882: Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x…

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-10
Exploited in the wild
EPSS
23.72%
97.5th percentile
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.

Affected

9 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite< 8.7.08.7.0
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

path/service/soap/SearchConvRequest
commandContent-Location: http://foo.bar'>
otheronerror=alert(document.domain)
  • Detect vulnerable Zimbra versions by matching CLIENT_VERSION in ZmSettings.js against known vulnerable version strings (8.7.0, 8.7.5, 8.7.11, 8.8.0, 8.8.6 GA builds).
  • Exploitation is delivered via SMTP (port 25) using a crafted multipart email with a malicious Content-Location header in an attachment part containing an XSS payload (e.g., `http://foo.bar'>`). Monitor inbound SMTP traffic for Content-Location headers containing HTML/JS injection characters.
  • Attackers authenticate to Zimbra via POST to `/` with `loginOp=login` and extract a CSRF token (`window.csrfToken`) and session ID from the response before issuing the SOAP SearchConvRequest. Monitor for automated login + SOAP enumeration sequences.
  • The SOAP exploit request targets `/service/soap/SearchConvRequest` with `fetch`, `html:1`, and a large `max` value. The X-Zimbra-Csrf-Token header is present. Correlate this with prior login activity as part of a multi-step attack chain.
  • The advisory reference at securify.nl provides full technical details of the vulnerability in ZmMailMsgView.getAttachmentLinkHtml. Use it for additional payload patterns.
  • ·The Nuclei template requires valid Zimbra credentials (`{{user}}`, `{{pass}}`, `{{mail}}`) and an interactsh callback URL (`{{base}}`). Without these, the multi-step flow (version check → login → SOAP request → SMTP delivery) cannot complete.
  • ·The template is marked `intrusive` and requires SMTP port 25 to be accessible from the scanner to the target Zimbra server to deliver the malicious email attachment.
  • ·The full exploit flow requires four sequential steps to succeed: HTTP version check, TCP SMTP delivery, HTTP login (with CSRF/session extraction), and HTTP SOAP SearchConvRequest. All four must succeed (`flow: http(1) && tcp(1) && http(2) && http(3)`).

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.