CVE-2023-34192

CRITICAL KEV NUCLEI

Zimbra ZCS <8.8.15 - XSS

Title source: llm

Description

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Nuclei Templates (1)

Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting

CRITICALby ritikchaddha

Shodan: http.favicon.hash:475145467 || http.favicon.hash:"1624375939" || http.favicon.hash:"475145467"

FOFA: icon_hash="475145467" || icon_hash="1624375939" || app="zimbra-邮件系统"

References (4)

[Release Notes, Vendor Advisory] https://wiki.zimbra.com/wiki/Security_Center

[Not Applicable] https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

[Vendor Advisory] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34192

Scores

CVSS v3 9.0

EPSS 0.8899

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CISA KEV 2025-02-25

VulnCheck KEV 2025-02-25

InTheWild.io 2023-07-20

ENISA EUVD EUVD-2023-38291

CWE

CWE-79

Status published

Products (1)

synacor/zimbra_collaboration_suite 8.8.15 (41 CPE variants)

Published Jul 06, 2023

KEV Added Feb 25, 2025

Tracked Since Feb 18, 2026