Cyber Resilience

CVE-2018-6882

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 27 March 2018

Published
27 March 2018
Modified
04 November 2025
KEV Added
19 April 2022
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.7702 99.0th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-6882 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a cross-site scripting flaw (CWE-79) in the ZmMailMsgView.getAttachmentLinkHtml function of Zimbra Collaboration Suite (ZCS) versions before 8.7 Patch 1 and 8.8.x before 8.8.7. It is rated 6.1 on CVSS 3.1 and can be triggered via a Content-Location header present in an email attachment.

An unauthenticated remote attacker can exploit the issue by sending a crafted message containing a malicious attachment; when the recipient views the message, arbitrary script or HTML supplied in the header is rendered in the ZCS web interface, enabling actions such as session hijacking or data theft within the victim's browser context.

Zimbra security advisories and release notes direct administrators to upgrade to the fixed versions 8.7 Patch 1 or 8.8.7, which address the defect in the attachment link rendering code. No public information on active exploitation is referenced in the provided sources.

EU & UK References

Vulnerability details

Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.

CWE(s)
KEV Date Added
19 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
8.7.0, 8.8.0, 8.8.1, 8.8.2, 8.8.3 · ≤ 8.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input such as the Content-Location header before it is rendered by ZmMailMsgView.getAttachmentLinkHtml, blocking the XSS payload.

prevent

Mandates timely application of the vendor patches (8.7 Patch 1 / 8.8.7) that correct the attachment-link rendering defect described in the CVE.

prevent

Requires filtering of information output by the web interface so that script or HTML supplied via the malicious header is not emitted to the browser.

References