[Users] Another XSS issue / ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

David Touitou david at network-studio.com
Wed Jan 17 10:03:44 CET 2018


Barry and all,

> It looks like a patch for 8.0 to 8.5 is available here:
> https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79

This patch is for CVE-2015-7609.
That's Zimbra's bug 101435 and 101436.
It was included in 8.6.0 patch 5.

CWE-79 is a kind of vulnerability: https://cwe.mitre.org/data/definitions/79.html
It's not a reference to one specific vulnerability in a code.
For specific vulnerabilities, you have to look at CVE-serial not CWE-type-of-vulnerability.

If you look here at the official security advisories list for Zimbra (https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories) you'll find seven (7) different CWE-79 vulnerabilities since last 8.6 official patch: CVE-2016-3999, CVE-2016-5721, CVE-2017-7288, CVE-2017-8783, CVE-2017-8802, CVE-2017-17703 and one without CVE-serial. Some are public, some are not.

> 8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
> The config_template.xml for url zimlet in the patch is the same one as
> in wolfyzvf/Zimbra-Collaboration-CWE-79.

That's because this specific CWE-79 was fixed in 8.6.0-P5 (CVE-2015-7609).

> It would like to see what the exploit was exactly. But I do not think CWE-79 is
> a problem on 8.6 atm.

I'm not so sure.

David




More information about the Users mailing list