CVE-2018-6882
Published: 27 March 2018
Summary
CVE-2018-6882 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a cross-site scripting flaw (CWE-79) in the ZmMailMsgView.getAttachmentLinkHtml function of Zimbra Collaboration Suite (ZCS) versions before 8.7 Patch 1 and 8.8.x before 8.8.7. It is rated 6.1 on CVSS 3.1 and can be triggered via a Content-Location header present in an email attachment.
An unauthenticated remote attacker can exploit the issue by sending a crafted message containing a malicious attachment; when the recipient views the message, arbitrary script or HTML supplied in the header is rendered in the ZCS web interface, enabling actions such as session hijacking or data theft within the victim's browser context.
Zimbra security advisories and release notes direct administrators to upgrade to the fixed versions 8.7 Patch 1 or 8.8.7, which address the defect in the attachment link rendering code. No public information on active exploitation is referenced in the provided sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-18627
Vulnerability details
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
- CWE(s)
- KEV Date Added
- 19 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input such as the Content-Location header before it is rendered by ZmMailMsgView.getAttachmentLinkHtml, blocking the XSS payload.
Mandates timely application of the vendor patches (8.7 Patch 1 / 8.8.7) that correct the attachment-link rendering defect described in the CVE.
Requires filtering of information output by the web interface so that script or HTML supplied via the malicious header is not emitted to the browser.