CVE-2024-45194
📋 TL;DR
This stored XSS vulnerability in Zimbra Collaboration allows attackers with administrative access to inject malicious JavaScript into email account configurations. The injected code executes in victims' browsers when they interact with specific web interface elements. Organizations running Zimbra Collaboration 9.0 or 10.0 are affected.
💻 Affected Systems
- Zimbra Collaboration Suite
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to session hijacking, credential theft, or complete account takeover of users accessing the webmail interface.
Likely Case
Targeted attacks against specific users through session hijacking or credential harvesting when they interact with maliciously configured email accounts.
If Mitigated
Limited impact due to required administrative access and proper input sanitization preventing code injection.
🎯 Exploit Status
Exploitation requires administrative credentials and knowledge of specific injection points
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.9, 10.1.1, or 9.0.0 Patch 41
Vendor Advisory: https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes
Restart Required: Yes
Instructions:
1. Backup your Zimbra installation. 2. Download and apply the appropriate patch from Zimbra's release notes. 3. Restart Zimbra services. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input sanitization for email account configuration fields
Custom development required - no ready commands
Administrative Access Restriction
linuxLimit administrative access to only trusted personnel and implement multi-factor authentication
zmprov ma admin@domain.com zimbraAuthTokenValidityValue 3600
zmprov ma admin@domain.com zimbraAdminAuthTokenLifetime 3600
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Enhance monitoring of administrative account activities and configuration changes
🔍 How to Verify
Check if Vulnerable:
Check Zimbra version: /opt/zimbra/bin/zmcontrol -vCheck Version:
/opt/zimbra/bin/zmcontrol -vVerify Fix Applied:
Verify version is 10.0.9, 10.1.1, or 9.0.0 Patch 41 or later📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login patterns
- Multiple email account configuration changes from single admin session
- JavaScript injection patterns in configuration logs
Network Indicators:
- Unexpected JavaScript payloads in webmail traffic
- Suspicious admin panel activity
SIEM Query:
source="zimbra.log" AND ("admin login" OR "account modify") | stats count by user, src_ip