XSS zero-day flaw in Zimbra Collaboration Suite under attack

A zero-day cross-site scripting vulnerability in Zimbra Collaboration Suite is under active exploitation, according to a Thursday security advisory from Zimbra.

According to the advisory, the cross-site scripting (XSS) flaw is present in Zimbra Collaboration Suite Version 8.8.15. The vendor said that if exploited, it could "potentially impact the confidentiality and integrity of your data." Zimbra said in the advisory that an update for the popular collaboration software would become available via a patch release later this month.

In the meantime, a manual workaround is available in the advisory. After taking a backup of the file "/opt/zimbra/jetty/webapps/zimbra/m/momoveto" customers should edit the file by going to line No. 40 and updating the parameter from <input name="st" type="hidden" value="${param.st}"/> to <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>.

"The issue has been fixed through input sanitization," the advisory read. "We have also performed rigorous testing to ensure the effectiveness and stability of the system."

Maddie Stone, a security researcher at Google's Threat Analysis Group, tweeted Thursday that Google security engineer Clément Lecigne discovered the vulnerability "being used in-the-wild in a targeted attack." In a reply to Huntress researcher John Hammond, Lecigne tweeted that the attacker would need to be authenticated for the flaw to be exploited.

Few technical details about the flaw are available, and Zimbra parent company Synacor has not responded to TechTarget Editorial's request for comment. At press time, the Zimbra zero-day vulnerability had not been assigned a CVE.

XSS flaws are considered common vulnerabilities for software, and are listed as part of the Open Web Application Security Project's Top 10 most popular web application security vulnerabilities list.

Alexander Culafi is a writer, journalist and podcaster based in Boston.