Zimbra Addresses Zero-Day Vulnerability Exploited in XSS Attacks

July 27, 2023

Zimbra has rolled out security patches to address a zero-day vulnerability that was being exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers. The vulnerability, now identified as CVE-2023-38750, is a reflected Cross-Site Scripting (XSS) which was found by Clément Lecigne from the Google Threat Analysis Group. XSS attacks are a significant threat as they allow malicious actors to steal sensitive data or run harmful code on susceptible systems.

Although Zimbra did not initially reveal that the zero-day was being exploited when it first announced the vulnerability and encouraged users to manually fix it, Maddie Stone from Google TAG disclosed that the vulnerability was found while being exploited in a targeted attack. Zimbra had advised administrators to manually mitigate the security bug.

Two weeks after the initial advisory was published, Zimbra released ZCS 10.0.2, a version that also addresses the CVE-2023-38750 bug, which could potentially expose internal JSP and XML files. Another reflected XSS bug in Zimbra was exploited since February 2023 by the Winter Vivern Russian hacking group to infiltrate webmail portals of governments aligned with NATO and steal the emails of government officials, military personnel, and diplomats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to U.S. federal agencies to secure their systems against attacks exploiting CVE-2023-38750. The agency has added this vulnerability to its Known Exploited Vulnerabilities catalog, which requires Federal Civilian Executive Branch Agencies (FCEB) to patch vulnerable ZCS email servers on their networks in line with the binding operational directive (BOD 22-01) issued in November 2021. CISA has set a deadline of August 17th for compliance, instructing them to mitigate the flaw on all unpatched devices.

While the catalog is primarily for U.S. federal agencies, private companies are also strongly recommended to prioritize and implement patches for all vulnerabilities listed in CISA's catalog of exploited bugs. CISA warned today, 'These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.'

This Tuesday, CISA also instructed U.S. federal agencies to address an auth bypass bug in Ivanti's Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, which was utilized as a zero-day to hack a software platform used by 12 Norwegian ministries.

Latest News

• US Government Contractor Maximus Suffers Massive Data Breach Affecting Millions
• Two Privilege Escalation Vulnerabilities Discovered in Linux Ubuntu, Impacting 40% of Users
• Critical Vulnerabilities in Microsoft Message Queuing Allow for Remote Attacks
• Critical Zero-Day Flaws Found in Global Emergency Services Communications Protocol
• Critical Zero-Day Vulnerabilities in Atera Windows Installers Expose Users to Privilege Escalation Attacks