www.belgium.be Logo of the federal government

Warning: CVE-2023-38750 Zimbra ZCS XSS Vulnerability

Reference: 
Advisory #2023-88
Version: 
1.0
Affected software: 
Zimbra Collaboration (ZCS)
Type: 
Cross-Site Scripting (XSS) Vulnerability
CVE/CVSS: 

CVE-2023-38750/undisclosed

Date: 
28/07/2023

Sources

https://info.zimbra.com/security-update-zimbra-collaboration-suite-versi...

https://wiki.zimbra.com/wiki/Security_Center 

Risks

An actively exploited zero-day vulnerability tracked as CVE-2023-38750 was found in the Zimbra Collaboration (ZCS). Successful exploitation could impact the confidentiality and integrity of data.

Description

On July 13th, 2023, Zimbra warned customers of an actively exploited vulnerability in Zimbra Collaboration (ZCS). Zimbra urged customers to apply mitigations to version 8.8.15. This vulnerability was discovered by Clément Lecigne of Google Threat Analysis Group (TAG).
 
On July 26th, 2023, Zimbra released an update to address CVE-2023-38750.
 
CVE-2023-37580 is a Cross-Site Scripting (XSS) Vulnerability that could lead to exposure of internal JSP and XML files.

Recommended Actions

The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.
 
Update the installation the latest version available on: https://wiki.zimbra.com/wiki/Security_Center
 
Patched versions:
  • ZCS 10.0.2
  • ZCS 9.0.0 Patch 34
  • ZCS 8.8.15 Patch 41

References

https://nvd.nist.gov/vuln/detail/CVE-2023-37580 

https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-adds-one-known-e...

https://www.bleepingcomputer.com/news/security/zimbra-patches-zero-day-v...