# [CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities
in Zimbra Collaboration

## Description

Two XSS vulnerabilities have been discovered in Zimbra Collaboration
(initially in version 8.8.8).
Zimbra Collaboration is an open source messaging and collaboration solution.

## Vulnerability records

**Access Vector**: Remote

**Security Risk**: Medium

**Vulnerability**: CWE-79

**CVSS Base Score**: 6.1

**CVSS String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

## Details

Two Reflected XSS vulnerabilities allow remote attackers to inject
arbitrary JavaScript in web browsers.

### Proof of Concept - XSS\#1

To reproduce the first XSS, login to https://host.com/zimbra/ and click
on the link below:

```
https://host.com/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=""><svg
onload=alert(1)>
```

### Proof of Concept - XSS\#2

1. First, login to `https://host.com/zimbra/`

2. Click on "Preferences", then on "Import / Export".

3. Finally, just import a file named `test.<svg onload=alert(2)>` to get
the second XSS payload executed.


## Affected versions

Versions < 8.8.11.

## Solution

Update to version 8.8.11 which includes all fixes.

## Timeline (dd/mm/yyyy)

* 12/07/2018  : Initial discovery
* 21/07/2018  : Vendor notification
* 21/07/2018  : Vendor acknowledgment
* 18/10/2018  : Vendor partial fixes in ZCS 8.8.10 patch 1 and 8.8.9
patch 6 (XSS 1)
* 18/12/2018  : Vendor full fixes in ZCS 8.8.11 (XSS 2)
* 30/01/2019    : Public disclosure

## Credits

* Issam Rabhi <i.rabhi@sysdream.com>

Thanks to the Zimbra security team for the perfect report handling !

-- 
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream