Cross-site scripting zero-day vulnerability in Zimbra Collaboration Suite requires manual fixes

July 19, 2023July 19, 2023 techielab 0 Comments

A zero-day cross-site scripting vulnerability is present in Zimbra Collaboration Suite Version 8.8.15 confirmed by Zimbra.

According to a Thursday, July 13, 2023 security advisory from Zimbra, the cross-site scripting (XSS) vulnerability is present in Zimbra Collaboration Suite Version 8.8.15 and if exploited, it could “potentially impact the confidentiality and integrity of your data. This vulnerability has been actively exploited, making it imperative to take immediate action.“

In a blog post, the Zimbra developers wrote that they rigorously tested the change to ensure the stability of the system. The fix is planned to be delivered in the July patch release. But they strongly recommend applying the fixes steps manually without delay.

Steps to apply the fix manually:

Make a copy of the file: /opt/zimbra/jetty/webapps/zimbra/m/momoveto
Edit this file and go to line number 40
Update the parameter value as below:

           <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Before the modification, the line number 40 was like as below:

          <input name="st" type="hidden" value="${param.st}"/>

The fix takes effect immediately. Zimbra service restart is not required so you can do it without any downtime.

Spread the love

← Fix Windows11 error “Your organization manages updates on this PC” [Solved]

Share this:

Leave a Reply Cancel reply