CVE-2023-34192
published 2023-07-06CVE-2023-34192: Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the…
PriorityP183critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-03-18
Exploited in the wild
EPSS
77.27%
99.5th percentile
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/h/autoSaveDraft?draftid=aaaaaaaaaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cbbbbbbbb
- →Detect exploitation attempts by matching reflected XSS payload in HTTP response body: look for both 'alert(document.domain)' and 'zimbra' strings together in the response body with a 200 OK and text/html content-type header.
- →The attack flow consists of two steps: (1) POST to /zimbra/ with loginOp=login credentials to authenticate, then (2) GET request to /h/autoSaveDraft with a URL-encoded XSS payload in the 'draftid' parameter.
- →Identify Zimbra instances via Shodan favicon hashes 475145467 or 1624375939, or FOFA queries icon_hash='475145467', icon_hash='1624375939', or app='zimbra-邮件系统'.
- →Monitor HTTP requests to /h/autoSaveDraft containing URL-encoded script tags or HTML injection characters (e.g., %3Cscript%3E, %22%3E) in the 'draftid' query parameter.
- ·Exploitation requires prior authentication — the attacker must first obtain valid Zimbra credentials before triggering the XSS via /h/autoSaveDraft. ↗
- ·Vulnerability is confirmed only in Zimbra Collaboration Suite v.8.8.15; other versions may or may not be affected.
- ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog with a remediation due date of 2025-03-18, indicating active in-the-wild exploitation. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-77v2-mcx8-5hqm: Cross Site Scripting vulnerability in Zimbra ZCS v
ghsa_unreviewed·2023-07-06
CVE-2023-34192 [CRITICAL] CWE-79 GHSA-77v2-mcx8-5hqm: Cross Site Scripting vulnerability in Zimbra ZCS v
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
vulncheck·2023·CVSS 9.0
CVE-2023-34192 [CRITICAL] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/resources/research-reports/global-cybersecurity-report/; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-
CISA
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
cisa·2025-02-25·CVSS 9.0
CVE-2023-34192 [CRITICAL] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2023-34192
Remediation Due Date: 2025-03-18
No detection rules found.
Nuclei
Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
nuclei·CVSS 9.0
CVE-2023-34192 [CRITICAL] Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
Template:
id: CVE-2023-34192
info:
name: Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
author: ritikchaddha
severity: critical
description: |
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
No writeups or analysis indexed.
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34192
2023-07-06
Published
2025-02-25
Added to CISA KEV
Exploited in the wild