A critical cross site scripting (XSS) vulnerability (CVE-2023-34192) in popular open source email collaboration suite Zimbra is being exploited by attackers.
About the vulnerability (CVE-2023-34192)
CVE-2023-34192 could allow a remote authenticated threat actor to execute arbitrary code through a crafted script to the /h/autoSaveDraft function. It affects Zimbra Collaboration Suite (ZCS) v.8.8.15.
The company has provided admins with instruction on how to apply the fix manually, by editing a single data file.
“This vulnerability has been actively exploited, making it imperative to take immediate action. We strongly recommend following the provided mitigation steps without delay,” the company noted.
“The issue has been fixed through input sanitization. We have also performed rigorous testing to ensure the effectiveness and stability of the system. The fix is planned to be delivered in the July patch release.”
Applying the fix will not lead to downtime, as it does not require service restart.
Zimbra is a popular target
Clément Lecigne of Google Threat Analysis Group discovered and reported this vulnerability.
Vulnerabilities – zero-days or not – in ZCS are often exploited by attackers, since Zimbra is widely used by a variety of organizations, including government agencies, universities, companies, etc. The European Union’s Commision has even offered rewards for bugs found in Zimbra (and other open source software solutions it uses).
In late 2021, a Zimbra zero-day vulnerability (CVE-2022-24682) was exploited by Chinese hackers to target European governments.
In August 2022, CISA published an advisory about several vulnerabilities in Zimbra Collaboration Suite, mostly critical and exploited in the wild.
Later that same year, a critical remote code execution vulnerability (CVE-2022-41352) was found being exploited in the wild by APT groups.
In April 2023, a cross-site scripting flaw (CVE-2022-27926) was leveraged by Russian hackers to target NATO countries.