Bug 109017 - Non-persistent XSS - Web Client [CWE-79]
Summary: Non-persistent XSS - Web Client [CWE-79]
Status: RESOLVED FIXED
Alias: None
Product: ZCS
Classification: Unclassified
Component: Mail - Web Client (show other bugs)
Version: 8.5.0_ZCS_JudasPriest
Hardware: All Browsers All
: P1 blocker
Target Milestone: ---
Assignee: Bug Owner
QA Contact: Girish Bhamare
URL: https://nvd.nist.gov/vuln-metrics/cvs...
Keywords: Security
Depends on:
Blocks:
 
Reported: 2018-07-22 01:50 EDT by Phil Pearl
Modified: 2019-05-28 16:31 EDT (History)
4 users (show)

See Also:
Feature Notes:
Eng Days:
QA Days:
Root Cause: ---
Fix Type: ---
QA Analysis: ---
CVE Number: CVE-2018-14013
CVSS Score: 4.3
CVE Reporter: Issam Rabhi <i.rabhi@sysdream.com>
ZCO Subcategory:
Queue Position:
Test Stories:
User Stories:
UX:
Developer:
PM:
QA:
Docs:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Phil Pearl 2018-07-22 01:50:47 EDT
A Non-persistent (aka Reflected) XSS vulnerability exists in the HTML web client.  Details to follow.
Comment 4 Phil Pearl 2018-12-18 04:48:51 EST
Fixed in 8.8.11
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11
Comment 5 Phil Pearl 2019-01-04 18:04:14 EST
ZCS 8.8.9 Patch 9, ZCS 8.8.10 Patch 5 and ZCS 8.8.11 Patch 1 were released January 4, 2019. The releases include security fixes for:

- CVE-2018-20160 / Bug 109093 - XXE - Chat (CWE-611)
- CVE-2018-14013 / Bug 109017 - Non-persistent XSS - Web Client (CWE 79)
  Note: this fix is already in the ZCS 8.8.11 release