CVE-2023-34192 : Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authen

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Published 2023-07-06 16:15:10

Updated 2025-02-27 02:00:02

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)Execute code

Products affected by CVE-2023-34192

Zimbra » Collaboration » Version: 8.8.15
cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P1
cpe:2.3:a:zimbra:collaboration:8.8.15:p1:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P10
cpe:2.3:a:zimbra:collaboration:8.8.15:p10:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P11
cpe:2.3:a:zimbra:collaboration:8.8.15:p11:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P12
cpe:2.3:a:zimbra:collaboration:8.8.15:p12:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P13
cpe:2.3:a:zimbra:collaboration:8.8.15:p13:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P14
cpe:2.3:a:zimbra:collaboration:8.8.15:p14:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P15
cpe:2.3:a:zimbra:collaboration:8.8.15:p15:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P16
cpe:2.3:a:zimbra:collaboration:8.8.15:p16:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P2
cpe:2.3:a:zimbra:collaboration:8.8.15:p2:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P3
cpe:2.3:a:zimbra:collaboration:8.8.15:p3:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P4
cpe:2.3:a:zimbra:collaboration:8.8.15:p4:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P5
cpe:2.3:a:zimbra:collaboration:8.8.15:p5:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P6
cpe:2.3:a:zimbra:collaboration:8.8.15:p6:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P7
cpe:2.3:a:zimbra:collaboration:8.8.15:p7:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P8
cpe:2.3:a:zimbra:collaboration:8.8.15:p8:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P9
cpe:2.3:a:zimbra:collaboration:8.8.15:p9:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P17
cpe:2.3:a:zimbra:collaboration:8.8.15:p17:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P18
cpe:2.3:a:zimbra:collaboration:8.8.15:p18:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P19
cpe:2.3:a:zimbra:collaboration:8.8.15:p19:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P20
cpe:2.3:a:zimbra:collaboration:8.8.15:p20:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P21
cpe:2.3:a:zimbra:collaboration:8.8.15:p21:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P22
cpe:2.3:a:zimbra:collaboration:8.8.15:p22:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P23
cpe:2.3:a:zimbra:collaboration:8.8.15:p23:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P24
cpe:2.3:a:zimbra:collaboration:8.8.15:p24:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P25
cpe:2.3:a:zimbra:collaboration:8.8.15:p25:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P26
cpe:2.3:a:zimbra:collaboration:8.8.15:p26:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P27
cpe:2.3:a:zimbra:collaboration:8.8.15:p27:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P28
cpe:2.3:a:zimbra:collaboration:8.8.15:p28:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P29
cpe:2.3:a:zimbra:collaboration:8.8.15:p29:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P30
cpe:2.3:a:zimbra:collaboration:8.8.15:p30:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P31
cpe:2.3:a:zimbra:collaboration:8.8.15:p31:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P32
cpe:2.3:a:zimbra:collaboration:8.8.15:p32:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P33
cpe:2.3:a:zimbra:collaboration:8.8.15:p33:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P34
cpe:2.3:a:zimbra:collaboration:8.8.15:p34:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P35
cpe:2.3:a:zimbra:collaboration:8.8.15:p35:*:*:*:*:*:*
Matching versions
Zimbra » Collaboration » Version: 8.8.15 Update P37
cpe:2.3:a:zimbra:collaboration:8.8.15:p37:*:*:*:*:*:*
Matching versions

CVE-2023-34192 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

CISA required action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA description:

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Notes:

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2023-34192

Added on 2025-02-25 Action due date 2025-03-18

Exploit prediction scoring system (EPSS) score for CVE-2023-34192

EPSS FAQ

84.49%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-34192

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	2.3	6.0	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-25
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	2.3	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-34192

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-34192

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Zimbra Security Advisories - Zimbra :: Tech Center
Vendor Advisory

CVEs referencing this url
https://wiki.zimbra.com/wiki/Security_Center

Security Center - Zimbra :: Tech Center
Release Notes;Vendor Advisory

CVEs referencing this url
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Zimbra Responsible Disclosure Policy - Zimbra :: Tech Center
Not Applicable

CVEs referencing this url