Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
References
Link | Resource |
---|---|
https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html | Exploit Third Party Advisory |
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories | Vendor Advisory |
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 | Permissions Required |
https://bugzilla.zimbra.com/show_bug.cgi?id=108786 | Issue Tracking |
http://seclists.org/fulldisclosure/2018/Mar/52 | Mailing List Third Party Advisory |
http://www.securityfocus.com/archive/1/541891/100/0/threaded | Third Party Advisory VDB Entry |
Configurations
Configuration 1 (hide)
|
Information
Published : 2018-03-27 09:29
Updated : 2019-03-05 11:13
NVD link : CVE-2018-6882
Mitre link : CVE-2018-6882
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
synacor
- zimbra_collaboration_suite