[Users] Another XSS issue / ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

Barry de Graaff info at barrydegraaff.tk
Wed Jan 17 10:18:16 CET 2018 

Hello David,

I agree with you that there are probably some XSS fixes not applied
to 8.6. But all the bugs listed on Security/Advisories except the nginx 
hosts bug are `Access denied` to me. 

The problem with this page is:
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
That it should list the supported versions affected.

I guess the original question still stands, but w/o more details
there is not much we can do.

Kind regards, 

Barry de Graaff
Zeta Alliance 
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

+31 617 220 227 | skype: barrydegraaff.tk
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

----- Original Message -----
From: "David Touitou" <david at network-studio.com>
To: "Barry de Graaff" <info at barrydegraaff.tk>
Cc: users at lists.zetalliance.org
Sent: Wednesday, January 17, 2018 10:03:44 AM
Subject: Re: [Users] Another XSS issue / ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

Barry and all,

> It looks like a patch for 8.0 to 8.5 is available here:
> https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79

This patch is for CVE-2015-7609.
That's Zimbra's bug 101435 and 101436.
It was included in 8.6.0 patch 5.

CWE-79 is a kind of vulnerability: https://cwe.mitre.org/data/definitions/79.html
It's not a reference to one specific vulnerability in a code.
For specific vulnerabilities, you have to look at CVE-serial not CWE-type-of-vulnerability.

If you look here at the official security advisories list for Zimbra (https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories) you'll find seven (7) different CWE-79 vulnerabilities since last 8.6 official patch: CVE-2016-3999, CVE-2016-5721, CVE-2017-7288, CVE-2017-8783, CVE-2017-8802, CVE-2017-17703 and one without CVE-serial. Some are public, some are not.

> 8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
> The config_template.xml for url zimlet in the patch is the same one as
> in wolfyzvf/Zimbra-Collaboration-CWE-79.

That's because this specific CWE-79 was fixed in 8.6.0-P5 (CVE-2015-7609).

> It would like to see what the exploit was exactly. But I do not think CWE-79 is
> a problem on 8.6 atm.

I'm not so sure.

David

More information about the Users mailing list