PT-2022-25821 · Zimbra · Zimbra Collaboration Suite
Tf1T
·
Published
2022-10-12
·
Updated
2022-10-13
·
CVE-2022-41349
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Zimbra Collaboration Suite version 8.8.15
Description
The issue concerns a Reflected XSS vulnerability. It is related to the URL at "/h/compose" which accepts an
attachUrl parameter. This allows for the execution of arbitrary JavaScript on the victim's machine.Recommendations
For Zimbra Collaboration Suite version 8.8.15, consider restricting access to the "/h/compose" endpoint until a patch is available. As a temporary workaround, avoid using the
attachUrl parameter in the affected API endpoint until the issue is resolved.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zimbra Collaboration Suite