CVE-2023-45207: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in Zimbra Collaboration (ZCS) versions 8.8.15, 9.0, and 10.0. The vulnerability (CVE-2023-45207) was disclosed on February 13, 2024. The issue affects the PDF preview functionality in the webmail interface when using Chrome browser (NVD).

The vulnerability occurs when an attacker sends a PDF document containing malicious JavaScript code through email. When this PDF is previewed in the webmail interface using Chrome browser, the stored XSS payload gets executed. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session when a malicious PDF is previewed. This could potentially lead to unauthorized access to user data, session hijacking, or other malicious actions within the scope of the user's browser session (NVD).

The vulnerability has been fixed by sanitizing the JavaScript code present in PDF documents. Users should upgrade to the following patched versions: ZCS 8.8.15 Patch 44, ZCS 9.0.0 Patch 37, or ZCS 10.0.5 (Zimbra Security).

The vulnerability was discovered and reported by Ramin (Twitter: @realraminfp, GitHub: raminfp). Zimbra has acknowledged the finding and released patches to address the issue (Zimbra Advisories).