Security Update for Zimbra Collaboration Suite Version 8.8.15 CVE-2023-37580

An XSS vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced. We take this matter very seriously and have already taken immediate action to address the issue.

Important: This vulnerability has been actively exploited, making it imperative to take immediate action. We strongly recommend following the provided mitigation steps without delay.

Issue Fixed

The issue has been fixed through input sanitization. We have also performed rigorous testing to ensure the effectiveness and stability of the system. The fix is planned to be delivered in the July patch release.

Take Action. Apply Fix Manually 

We understand that you may want to take action sooner rather than later to protect your data.

To maintain the highest level of security, we kindly request your cooperation to apply the fix manually on all of your mailbox nodes.

Steps to apply the fix manually on all of your mailbox nodes

1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2. Edit this file and go to line number 40
3. Update the parameter value as below

   <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

4. Before the update, the line appeared as below

   <input name="st" type="hidden" value="${param.st}"/>

    

After the update, the line should appear as below

<input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Note: Zimbra service restart is not required so you can do it without any downtime.

We apologize for any inconvenience this may cause, and we thank you for your understanding.

Zimbra is committed to providing you with the highest level of security, and we will continue to work diligently to protect your data.