First published: Tue May 05 2020(Updated: )
A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zimbra Zimbra | =9.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11737 is a cross-site scripting (XSS) vulnerability in Zimbra 9.0 Web Client.
The severity of CVE-2020-11737 is medium with a CVSS score of 6.1.
CVE-2020-11737 affects Zimbra Collaboration (ZCS) 9.0.0, allowing a remote attacker to execute arbitrary JavaScript by crafting links in an E-Mail message or calendar invite.
To fix CVE-2020-11737, update to Zimbra Collaboration (ZCS) 9.0.0 Patch 2 or later.
More information about CVE-2020-11737 can be found in the following references: - [Zimbra Blog](https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/) - [Zimbra Wiki](https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2) - [Zimbra Security Advisories](https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories)