cbcvebase.
CVE-2023-34192
published 2023-07-06

CVE-2023-34192: Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the…

PriorityP183critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-03-18
Exploited in the wild
EPSS
77.27%
99.5th percentile
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Affected

1 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

url/h/autoSaveDraft?draftid=aaaaaaaaaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cbbbbbbbb
path/h/autoSaveDraft
  • Detect exploitation attempts by matching reflected XSS payload in HTTP response body: look for both 'alert(document.domain)' and 'zimbra' strings together in the response body with a 200 OK and text/html content-type header.
  • The attack flow consists of two steps: (1) POST to /zimbra/ with loginOp=login credentials to authenticate, then (2) GET request to /h/autoSaveDraft with a URL-encoded XSS payload in the 'draftid' parameter.
  • Identify Zimbra instances via Shodan favicon hashes 475145467 or 1624375939, or FOFA queries icon_hash='475145467', icon_hash='1624375939', or app='zimbra-邮件系统'.
  • Monitor HTTP requests to /h/autoSaveDraft containing URL-encoded script tags or HTML injection characters (e.g., %3Cscript%3E, %22%3E) in the 'draftid' query parameter.
  • ·Exploitation requires prior authentication — the attacker must first obtain valid Zimbra credentials before triggering the XSS via /h/autoSaveDraft.
  • ·Vulnerability is confirmed only in Zimbra Collaboration Suite v.8.8.15; other versions may or may not be affected.
  • ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog with a remediation due date of 2025-03-18, indicating active in-the-wild exploitation.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.