Security Update for Zimbra Collaboration Suite Version 8.8.15 CVE-2023-37580

Security Update for Zimbra Collaboration Suite - Version 8.8.15

An XSS vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced. We take this matter very seriously and have already taken immediate action to address the issue.

Important: This vulnerability has been actively exploited, making it imperative to take immediate action. We strongly recommend following the provided mitigation steps without delay.

 

Issue Fixed

The issue has been fixed through input sanitization. We have also performed rigorous testing to ensure the effectiveness and stability of the system. The fix is planned to be delivered in the July patch release.

 

Take Action. Apply Fix Manually 

We understand that you may want to take action sooner rather than later to protect your data.

To maintain the highest level of security, we kindly request your cooperation to apply the fix manually on all of your mailbox nodes.

 

Steps to apply the fix manually on all of your mailbox nodes

  1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
  2. Edit this file and go to line number 40
  3. Update the parameter value as below
    <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>
  4. Before the update, the line appeared as below
    <input name="st" type="hidden" value="${param.st}"/>

     

After the update, the line should appear as below

<input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

 

Note: Zimbra service restart is not required so you can do it without any downtime.

We apologize for any inconvenience this may cause, and we thank you for your understanding.

Zimbra is committed to providing you with the highest level of security, and we will continue to work diligently to protect your data.

6 Responses to Security Update for Zimbra Collaboration Suite Version 8.8.15 CVE-2023-37580

  1. Geert July 13, 2023 at 5:05 AM #

    There have been many similar XSS fixes in recent Zimbra patch releases. Is this one “worse” than others to warrant an explicit warning & pre-patch fix? Or is this just a new process to better inform customers of new vulnerabilities?

  2. Jered July 13, 2023 at 8:32 AM #

    Please note that the instructions above have been corrupted by “smart quotes” and you CANNOT copy and paste the line because use of the ” character which is not valid. You must manually type this change.

    I recommend that Zimbra fix this post to avoid use of non-ASCII convenience characters.

    • Avatar photo
      Barry de Graaff July 13, 2023 at 9:29 PM #

      Thanks, the smart quotes have been removed, and you can copy-paste now.

  3. Daniel August 8, 2023 at 11:26 AM #

    Will you assign a CVE for this vulnerability?

    • Avatar photo
      Barry de Graaff August 9, 2023 at 3:18 AM #

      The CVE-2023-37580 has been assigned.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures