CVE-2017-8802

MEDIUM

Zimbra Collaboration Suite < 8.8.0 Beta2 - Stored Cross-Site Scripting via Show Snippet Functionality

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-8802. PoCs published by ozzi-.

AI-analyzed exploit summary This repository provides a Zimlet (Zimbra extension) to mitigate CVE-2017-8802 by disabling the 'Show Fragment' functionality. It includes a JavaScript file that overrides the default behavior to prevent exploitation.

Description

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.8.0 Beta2 might allow remote attackers to inject arbitrary web script or HTML via vectors related to the "Show Snippet" functionality.

Exploits (1)

nomisec WRITEUP
by ozzi- · poc
https://github.com/ozzi-/Zimbra-CVE-2017-8802-Hotifx

This repository provides a Zimlet (Zimbra extension) to mitigate CVE-2017-8802 by disabling the 'Show Fragment' functionality. It includes a JavaScript file that overrides the default behavior to prevent exploitation.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Zimbra Collaboration Suite
Auth required
Prerequisites: Access to Zimbra administration to deploy the Zimlet
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Permissions Required x_refsource_confirm
https://bugzilla.zimbra.com/show_bug.cgi?id=107925
Patch, Vendor Advisory x_refsource_confirm
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/541661/100/0/threaded

Scores

CVSS v3 5.4
EPSS 0.0126
EPSS Percentile 66.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
synocor/zimbra_collaboration_suite 8.8.0 beta1
synocor/zimbra_collaboration_suite < 8.7.11
Published Jan 16, 2018
Tracked Since Feb 18, 2026