CVE-2023-37580

MEDIUM KEV NUCLEI

Zimbra Collaboration Suite 8.8.0-8.8.14 - Stored Cross-Site Scripting in Classic Web Client

Title source: llm

Exploitation Summary

CVE-2023-37580 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 27, 2023. A Nuclei detection template is also available.

Description

Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.

Nuclei Templates (1)

Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting

MEDIUMby ritikchaddha

Shodan: http.favicon.hash:475145467 || http.favicon.hash:"475145467"

FOFA: icon_hash="475145467"

References (4)

Core 4

Core References

Release Notes

https://wiki.zimbra.com/wiki/Security_Center

Not Applicable

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-37580

Mailing List, Patch mailing-list

http://www.openwall.com/lists/oss-security/2023/11/17/2

Scores

CVSS v3 6.1

EPSS 0.9392

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2023-07-27

VulnCheck KEV 2023-06-29

InTheWild.io 2023-06-29

ENISA EUVD EUVD-2023-41465

CWE

CWE-79

Status published

Products (2)

synacor/zimbra_collaboration_suite 8.8.15 p11 (13 CPE variants)

synacor/zimbra_collaboration_suite 8.8.0 - 8.8.15

Published Jul 31, 2023

KEV Added Jul 27, 2023

Tracked Since Feb 18, 2026