PT-2022-23767 · Zimbra · Zimbra Collaboration Suite
Published
2022-08-11
·
Updated
2022-08-16
·
CVE-2022-37044
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Zimbra Collaboration Suite versions 8.8.15
Description
The issue concerns a reflected XSS in the /h/search?action API endpoint, which accepts parameters called
extra, title, and onload that are partially sanitized. This allows for the execution of arbitrary JavaScript on the victim's machine.Recommendations
For Zimbra Collaboration Suite version 8.8.15, consider restricting access to the /h/search?action API endpoint until a patch is available. As a temporary workaround, avoid using the parameters
extra, title, and onload in the affected endpoint to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zimbra Collaboration Suite