CVE-2023-37580
Published: 31 July 2023
Summary
CVE-2023-37580 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-37580 is a cross-site scripting vulnerability, tracked as CWE-79, that affects Zimbra Collaboration (ZCS) version 8 prior to 8.8.15 Patch 41. The flaw resides in the Zimbra Classic Web Client and carries a CVSS 3.1 score of 6.1 reflecting network attack vector, low complexity, no required privileges, and required user interaction with changed scope.
An unauthenticated attacker can supply a crafted link or message that, when viewed by a user in the Classic Web Client, executes arbitrary script within the application's security context. Successful exploitation yields limited impacts on confidentiality and integrity while leaving availability unaffected.
Public references direct practitioners to the Zimbra Security Center and associated Openwall disclosures for official guidance on affected releases and remediation steps. The associated EPSS score has remained flat at its current peak value of 0.9392 with no material rise observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41465
Vulnerability details
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
- CWE(s)
- KEV Date Added
- 27 July 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all inputs to the Classic Web Client, directly blocking the crafted XSS payloads that trigger CVE-2023-37580.
Mandates filtering or encoding of all outputs rendered by the web client, neutralizing untrusted script before it executes in the victim's browser.
Deploys malicious-code protections that can inspect, block, or alert on script-based payloads delivered through the vulnerable web-client interface.