[Users] Another XSS issue / ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

David Touitou david at network-studio.com
Wed Jan 17 10:23:02 CET 2018 

Barry,

I agree 8)

I opened the discussion about one specific XSS (bug 108265) as I read about it in BugTraq mailing-list last friday.
But it's the same about all the vulnerabilites listed on the page (since P8)...

8.6 seems it was not tested (?) when you look at the CVE details on securityfocus.
It's not either in the "vulnerable" nor "not-vulnerable" list of versions.

David

----- Mail original -----
> De: "Barry de Graaff" <info at barrydegraaff.tk>
> À: "David Touitou" <david at network-studio.com>
> Cc: users at lists.zetalliance.org
> Envoyé: Mercredi 17 Janvier 2018 10:18:16
> Objet: Re: [Users] Another XSS issue / ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

> Hello David,
> 
> I agree with you that there are probably some XSS fixes not applied
> to 8.6. But all the bugs listed on Security/Advisories except the nginx
> hosts bug are `Access denied` to me.
> 
> The problem with this page is:
> https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
> That it should list the supported versions affected.
> 
> I guess the original question still stands, but w/o more details
> there is not much we can do.
> 
> Kind regards,
> 
> Barry de Graaff
> Zeta Alliance
> Co-founder & Developer
> zetalliance.org | github.com/Zimbra-Community
> 
> +31 617 220 227 | skype: barrydegraaff.tk
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
> 
> ----- Original Message -----
> From: "David Touitou" <david at network-studio.com>
> To: "Barry de Graaff" <info at barrydegraaff.tk>
> Cc: users at lists.zetalliance.org
> Sent: Wednesday, January 17, 2018 10:03:44 AM
> Subject: Re: [Users] Another XSS issue / ZCS-2645 Bug 108265 - Persistent XSS -
> message view as text [CWE-79]
> 
> Barry and all,
> 
>> It looks like a patch for 8.0 to 8.5 is available here:
>> https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79
> 
> This patch is for CVE-2015-7609.
> That's Zimbra's bug 101435 and 101436.
> It was included in 8.6.0 patch 5.
> 
> CWE-79 is a kind of vulnerability:
> https://cwe.mitre.org/data/definitions/79.html
> It's not a reference to one specific vulnerability in a code.
> For specific vulnerabilities, you have to look at CVE-serial not
> CWE-type-of-vulnerability.
> 
> If you look here at the official security advisories list for Zimbra
> (https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories) you'll find seven (7)
> different CWE-79 vulnerabilities since last 8.6 official patch: CVE-2016-3999,
> CVE-2016-5721, CVE-2017-7288, CVE-2017-8783, CVE-2017-8802, CVE-2017-17703 and
> one without CVE-serial. Some are public, some are not.
> 
>> 8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
>> The config_template.xml for url zimlet in the patch is the same one as
>> in wolfyzvf/Zimbra-Collaboration-CWE-79.
> 
> That's because this specific CWE-79 was fixed in 8.6.0-P5 (CVE-2015-7609).
> 
>> It would like to see what the exploit was exactly. But I do not think CWE-79 is
>> a problem on 8.6 atm.
> 
> I'm not so sure.
> 
> David

More information about the Users mailing list