Detections
Analytics
Zimbra Collaboration Server 9.0.0 < 9.0.0 Patch 41, 10.0 < 10.0.9, 10.1.0 < 10.1.1 XSS
medium Nessus Plugin ID 211698
Synopsis
The remote web server contains a web application that is affected by a cross-site scripting.Description
An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list. This can lead to unauthorized actions such as arbitrary mail sending, mailbox exfiltration, profile picture alteration, and other malicious actions. Proper sanitization and escaping of input fields are necessary to mitigate this vulnerability.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to version 9.0.0 Patch 41, 10.0.9, 10.1.1 or later.See Also
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1
Plugin Details
Severity: Medium
ID: 211698
File Name: zimbra_CVE-2024-45510.nasl
Version: 1.1
Type: combined
Agent: unix
Family: CGI abuses
Published: 11/21/2024
Updated: 11/21/2024
Supported Sensors: Nessus Agent, Nessus
Risk Information
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS Score Source: CVE-2024-45510
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Information
CPE: cpe:/a:zimbra:collaboration_suite
Required KB Items: installed_sw/zimbra_zcs
Patch Publication Date: 9/4/2024
Vulnerability Publication Date: 11/20/2024
Reference Information
CVE: CVE-2024-45510
IAVA: 2024-A-0764