| CVE-2008-1226 |
|
发布时间 :2008-03-10 13:44:00 | ||
| 修订时间 :2008-10-07 02:28:54 | ||||
| NMCO |
[原文]Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration Suite (ZCS) 4.0.3, 4.5.6, and possibly other versions before 4.5.10 allow remote attackers to inject arbitrary web script or HTML via an e-mail attachment, possibly involving a (1) .jpg or (2) .gif image attachment.
[CNNVD]Zimbra Collaboration Suite 多个跨站脚本漏洞(CNNVD-200803-114)
Zimbra Collaboration Suite是一个可为通信和协同办公提供开源服务器和客户端的电子邮件软件。
Zimbra Collaboration Suite (ZCS)存在多个跨站脚本漏洞,远程攻击者借助一个e-mail附件,注入任意的Web脚本或HTML。该附件可能涉及(1).jpg或(2).gif image。
–
CVSS (基础分值)
| CVSS分值: | 4.3 | [中等(MEDIUM)] |
| 机密性影响: | NONE | [对系统的机密性无影响] |
| 完整性影响: | PARTIAL | [可能会导致系统文件被修改] |
| 可用性影响: | NONE | [对系统可用性无影响] |
| 攻击复杂度: | MEDIUM | [漏洞利用存在一定的访问条件] |
| 攻击向量: | NETWORK | [攻击者不需要获取内网访问权或本地访问权] |
| 身份认证: | NONE | [漏洞利用无需身份认证] |
–
CWE (弱点类目)
| CWE-79 | [在Web页面生成时对输入的转义处理不恰当(跨站脚本)] |
–
CPE (受影响的平台与产品)
| cpe:/a:zimbra:collaboration_suite:4.0.3 | |
| cpe:/a:zimbra:collaboration_suite:4.5.6 |
–
OVAL (用于检测的技术细节)
| 未找到相关OVAL定义 |
–
官方数据库链接
–
其它链接及资源
| http://www.securityfocus.com/bid/28134
(PATCH) BID 28134 |
| http://www.zimbra.com/jp/products/vulnerability.html
(UNKNOWN) CONFIRM http://www.zimbra.com/jp/products/vulnerability.html |
| http://secunia.com/advisories/29263
(VENDOR_ADVISORY) SECUNIA 29263 |
| http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000004.html
(UNKNOWN) JVNDB JVNDB-2008-000004 |
| http://jvn.jp/jp/JVN%2395014590/index.html
(UNKNOWN) JVN JVN#95014590 |
| http://xforce.iss.net/xforce/xfdb/41044
(UNKNOWN) XF zimbra-email-xss(41044) |
–
漏洞信息
| Zimbra Collaboration Suite 多个跨站脚本漏洞 | |
| 中危 | 跨站脚本 |
| 2008-03-10 00:00:00 | 2008-10-07 00:00:00 |
| 远程 | |
| Zimbra Collaboration Suite是一个可为通信和协同办公提供开源服务器和客户端的电子邮件软件。
Zimbra Collaboration Suite (ZCS)存在多个跨站脚本漏洞,远程攻击者借助一个e-mail附件,注入任意的Web脚本或HTML。该附件可能涉及(1).jpg或(2).gif image。 |
|
–
公告与补丁
| 目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://www.zimbra.com/blog/archives/2007/11/zcs_4510_has_been_released.html |
–
漏洞信息
42643 |
|
| Zimbra Collaboration Suite Email Attachment XSS | |
Remote / Network Access |
Input Manipulation |
| Loss of Integrity | Upgrade |
| Exploit Public | Vendor Verified |
–
漏洞描述
–
时间线
2008-03-07 |
Unknow |
| Unknow | Unknow |
–
解决方案
| Upgrade to version 4.5.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. |
–
相关参考
|
漏洞作者
| Unknown or Incomplete |
![[图片] “草它妈”遭众多网友恶搞1楼 2008-09-16 15:41:50-微慑信息网-VulSee.com](http://img1.bbs.163.com/20080916/baoliao/gz/gz_fmks/40c2776edd3032f7029b1bc4b37dec49.jpg)
![[java]Error:(6, 9) java: 无法从静态上下文中引用非静态 方法 getFiles(java.lang.String)-微慑信息网-VulSee.com](http://vulsee.com/wp-content/uploads/2020/08/958.png)
![[八卦] 王婷婷—揭秘一个大三女生的性爱录像-微慑信息网-VulSee.com](http://free.86hy.com/crack/pic/1.jpg)
![[随笔]今天国际警察节-微慑信息网-VulSee.com](http://photo.sohu.com/20041017/Img222528326.jpg)
青云网
