← back
CVE-2023-34192

CVE-2023-34192

CVSS 9 CRITICALEPSS 77.3%● KEVCWE-79
In short

A security flaw in Zimbra ZCS 8.8.15 allows an authenticated user to inject malicious scripts through the auto-save draft feature, which get executed in other users' browsers. This can lead to account takeover or data theft.

Technical detail

Cross-Site Scripting (XSS) vulnerability in the /h/autoSaveDraft endpoint of Zimbra ZCS 8.8.15 allows an authenticated attacker to inject arbitrary JavaScript code that executes in the context of other users' sessions. The vulnerability requires prior authentication and can result in session hijacking, credential theft, or malware distribution within the email system.

Summary generated and translated by AI from the official description.
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34192