Cyber Resilience

CVE-2023-37580

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 31 July 2023

Published
31 July 2023
Modified
31 October 2025
KEV Added
27 July 2023
Patch
17 November 2023
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.9392 99.9th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37580 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-37580 is a cross-site scripting vulnerability, tracked as CWE-79, that affects Zimbra Collaboration (ZCS) version 8 prior to 8.8.15 Patch 41. The flaw resides in the Zimbra Classic Web Client and carries a CVSS 3.1 score of 6.1 reflecting network attack vector, low complexity, no required privileges, and required user interaction with changed scope.

An unauthenticated attacker can supply a crafted link or message that, when viewed by a user in the Classic Web Client, executes arbitrary script within the application's security context. Successful exploitation yields limited impacts on confidentiality and integrity while leaving availability unaffected.

Public references direct practitioners to the Zimbra Security Center and associated Openwall disclosures for official guidance on affected releases and remediation steps. The associated EPSS score has remained flat at its current peak value of 0.9392 with no material rise observed after disclosure.

EU & UK References

Vulnerability details

Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.

CWE(s)
KEV Date Added
27 July 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
8.8.15 · 8.8.0 — 8.8.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of all inputs to the Classic Web Client, directly blocking the crafted XSS payloads that trigger CVE-2023-37580.

prevent

Mandates filtering or encoding of all outputs rendered by the web client, neutralizing untrusted script before it executes in the victim's browser.

preventdetect

Deploys malicious-code protections that can inspect, block, or alert on script-based payloads delivered through the vulnerable web-client interface.

References