lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Jan 2019 09:42:56 +0100
From: Sysdream Labs <labs@...dream.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: [FD] [CVE-2018-14013] Reflected Cross-Site Scripting (XSS)
 vulnerabilities in Zimbra Collaboration

# [CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities
in Zimbra Collaboration

## Description

Two XSS vulnerabilities have been discovered in Zimbra Collaboration
(initially in version 8.8.8).
Zimbra Collaboration is an open source messaging and collaboration solution.

## Vulnerability records

**Access Vector**: Remote

**Security Risk**: Medium

**Vulnerability**: CWE-79

**CVSS Base Score**: 6.1

**CVSS String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

## Details

Two Reflected XSS vulnerabilities allow remote attackers to inject
arbitrary JavaScript in web browsers.

### Proof of Concept - XSS\#1

To reproduce the first XSS, login to https://host.com/zimbra/ and click
on the link below:

```
https://host.com/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=""><svg
onload=alert(1)>
```

### Proof of Concept - XSS\#2

1. First, login to `https://host.com/zimbra/`

2. Click on "Preferences", then on "Import / Export".

3. Finally, just import a file named `test.<svg onload=alert(2)>` to get
the second XSS payload executed.


## Affected versions

Versions < 8.8.11.

## Solution

Update to version 8.8.11 which includes all fixes.

## Timeline (dd/mm/yyyy)

* 12/07/2018  : Initial discovery
* 21/07/2018  : Vendor notification
* 21/07/2018  : Vendor acknowledgment
* 18/10/2018  : Vendor partial fixes in ZCS 8.8.10 patch 1 and 8.8.9
patch 6 (XSS 1)
* 18/12/2018  : Vendor full fixes in ZCS 8.8.11 (XSS 2)
* 30/01/2019    : Public disclosure

## Credits

* Issam Rabhi <i.rabhi@...dream.com>

Thanks to the Zimbra security team for the perfect report handling !

-- 
SYSDREAM Labs <labs@...dream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists