CVE-2023-37580: 
Zimbra Collaboration Server vulnerability analysis and mitigation

Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 contains a cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client. The vulnerability was discovered in June 2023 and patched on July 25, 2023, with a hotfix released to the public GitHub repository on July 5, 2023. This vulnerability affects thousands of companies and hundreds of millions of individuals using the Zimbra Collaboration Suite, including organizations like the Japan Advanced Institute of Science and Technology, Germany's Max Planck Institute, and Gunung Sewu (Dark Reading).

The vulnerability is a reflected cross-site scripting (XSS) issue where the system injects URL parameters directly into the webpage without proper sanitization. For example, an exploit could be triggered through a maliciously crafted URL containing JavaScript code in the 'st' parameter. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating it requires user interaction but no privileges, and can be exploited remotely (NVD).

When successfully exploited, the vulnerability allows attackers to steal email data, user credentials, and authentication tokens from affected systems. The vulnerability has been actively exploited to target government organizations worldwide, with confirmed attacks against organizations in Greece, Moldova, Tunisia, Vietnam, and Pakistan (Dark Reading).

The vulnerability was patched in ZCS 8.8.15 Patch 41, released on July 26, 2023. The fix involves properly escaping the contents of the 'st' parameter before it is set as a value in an HTML object. Organizations are strongly advised to upgrade to this patch version or later to protect against this vulnerability (Zimbra Security Center).

The vulnerability has drawn significant attention due to its exploitation by multiple APT groups targeting government organizations. Google's Threat Analysis Group (TAG) has actively tracked and reported on the exploitation campaigns, highlighting how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where fixes are available in repositories but not yet released to users (Dark Reading).