CVE-2022-41349 An attachUrl parameter in ZCS 8.8.15 is vulnerable to Reflected XSS.

The attached file must be uploaded through the administration interface. Consider the following example.

form action="http://[attacker's server]:8080/h/compose?attachUrl=%22%3Ejavascript:(function(){var n=this;n.puts("SCRIPT>alert(1)/SCRIPT>");})();"> input type="hidden" name="attachUrl" value="javascript:;">/input> button>Send/button> /form>

When this form is posted to the URL /h/compose?attachUrl=javascript:; , the victim's browser executes the following JavaScript code.

alert(1);

This results in an alert informing the user that his email has been changed.

In ZCS 8.7.2, this vulnerability can be exploited only through the web interface. In older versions, the /h/compose URL can be accessed through any HTTP client.

ZCS-82512: CVE-2023-41349 - Remote code execution via a CSRF attack

In ZCS 8.7.2 and older versions, the /h/compose URL can be accessed through any HTTP client. In ZCS 8.7.2 and older versions, if the URL is accessed through the web interface or a malicious HTTP client, the input type="hidden" name="attachUrl" value="javascript:;">input field is vulnerable to a CSRF attack. This vulnerability can be exploited only when using Chrome, because it contains an unchecked X-Frame-Options header that allows access from an XSS attack, which prevents exploitation through all other browsers. This vulnerability can also be exploited by using PHP's exec() function to execute JavaScript code in a victim's browser, bypassing Chrome's Content Security Policy (CSP) check for JavaScript execution in the browser.

ZCS-947: Unable to Upload New Email Host

An attacker could exploit this vulnerability by sending an email to an administrator that contains a URL pointing to a malicious server.
The victim's browser would automatically download the file, which is why this form can't be used with the web interface.

This vulnerability can also be exploited through any HTTP client, including the legitimate one, /h/admin .

Summary: ZCS 8.7.2 misconfiguration allows remote code execution

Zimbra Collaboration Suite 8.7.2 contains an input validation vulnerability which can be exploited only through the web interface, but is also present in older versions since it was introduced with ZCS 8.
This vulnerability can allow remote code execution on a vulnerable server by embedding malicious JavaScript code into a form that would causes the victim's browser to execute it when posting to the /h/compose URL.

Timeline

Published on: 10/12/2022 20:15:00 UTC
Last modified on: 10/13/2022 20:42:00 UTC

References

• https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
• https://wiki.zimbra.com/wiki/Security_Center
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41349