"Zimbra Patches Exploited Zero-Day Vulnerability"

Zimbra recently released patches for a cross-site scripting (XSS) vulnerability in Collaboration Suite that has been exploited in malicious attacks.  The vulnerability is tracked as CVE-2023-37580 and was disclosed earlier this month when Zimbra recommended manual patching for version 8.8.15 of the popular email and collaboration solution.  No CVE identifier had been issued for the flaw at the time, but Clement Lecigne from Google’s Threat Analysis Group (TAG) said that in-the-wild exploitation had been observed.  Zimbra recently announced software updates for Zimbra Collaboration Suite versions 8.8.15, 9.0.0, and 10.0.x.  A fix for the exploited security bug was included in version 8.8.15 patch 41 of the solution.  The company noted that the update resolves two other vulnerabilities in the suite, namely CVE-2023-38750, an issue leading to the exposure of internal JSP and XML files, and CVE-2023-0464, a bug “related to the verification of X.509 certificate chains that include policy constraints” in OpenSSL.  Patches for the last two flaws were also included in the Zimbra Collaboration Suite versions 10.0.2 and 9.0.0 patch 34.  CVE-2023-37580, however, only impacts version 8.8.15 of the solution.

SecurityWeek reports: "Zimbra Patches Exploited Zero-Day Vulnerability"