Vulnerability Description
An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zimbra | Collaboration | >= 8.8, < 8.8.15 |
Related Weaknesses (CWE)
References
- https://blog.sonarsource.com/zimbra-webmail-compromise-via-emailExploitMitigationThird Party Advisory
- https://wiki.zimbra.com/wiki/Security_CenterRelease NotesVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23Release NotesVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16Release NotesVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
- https://blog.sonarsource.com/zimbra-webmail-compromise-via-emailExploitMitigationThird Party Advisory
- https://wiki.zimbra.com/wiki/Security_CenterRelease NotesVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23Release NotesVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16Release NotesVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
FAQ
What is CVE-2021-35208?
CVE-2021-35208 is a vulnerability with a CVSS score of 5.4 (MEDIUM). An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript i...
How severe is CVE-2021-35208?
CVE-2021-35208 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-35208?
Check the references section above for vendor advisories and patch information. Affected products include: Zimbra Collaboration.