CVE-2021-35208 - Vulnerability Details

Vendors	Products
Zimbra	Collaboration

Link	Providers
https://blog.sonarsource.com/zimbra-webmail-compromise-via-email
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-08-02T19:40:05", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.sonarsource.com/zimbra-webmail-compromise-via-email"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-35208", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "refsource": "MISC", "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}, {"name": "https://wiki.zimbra.com/wiki/Security_Center", "refsource": "MISC", "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"name": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16", "refsource": "MISC", "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16"}, {"name": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23", "refsource": "MISC", "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23"}, {"name": "https://blog.sonarsource.com/zimbra-webmail-compromise-via-email", "refsource": "MISC", "url": "https://blog.sonarsource.com/zimbra-webmail-compromise-via-email"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:33:51.236Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.sonarsource.com/zimbra-webmail-compromise-via-email"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-35208", "datePublished": "2021-07-02T18:54:54", "dateReserved": "2021-06-22T00:00:00", "dateUpdated": "2024-08-04T00:33:51.236Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-08-02T19:40:05 (string)

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://wiki.zimbra.com/wiki/Security_Center (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 (string)

}

3 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 (string)

}

4 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://blog.sonarsource.com/zimbra-webmail-compromise-via-email (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@mitre.org (string)

ID : CVE-2021-35208 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (string)

refsource : MISC (string)

url : https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (string)

}

1 : { »

name : https://wiki.zimbra.com/wiki/Security_Center (string)

refsource : MISC (string)

url : https://wiki.zimbra.com/wiki/Security_Center (string)

}

2 : { »

name : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 (string)

refsource : MISC (string)

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 (string)

}

3 : { »

name : https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 (string)

refsource : MISC (string)

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 (string)

}

4 : { »

name : https://blog.sonarsource.com/zimbra-webmail-compromise-via-email (string)

refsource : MISC (string)

url : https://blog.sonarsource.com/zimbra-webmail-compromise-via-email (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T00:33:51.236Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://wiki.zimbra.com/wiki/Security_Center (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 (string)

}

3 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 (string)

}

4 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://blog.sonarsource.com/zimbra-webmail-compromise-via-email (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

cveId : CVE-2021-35208 (string)

datePublished : 2021-07-02T18:54:54 (string)

dateReserved : 2021-06-22T00:00:00 (string)

dateUpdated : 2024-08-04T00:33:51.236Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BDCCB43-EBE0-4E5D-B2E1-E346A3694AB9", "versionEndExcluding": "8.8.15", "versionStartIncluding": "8.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*", "matchCriteriaId": "1B17C1A7-0F0A-4E7C-8C0C-0BBB0BF66C82", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p1:*:*:*:*:*:*", "matchCriteriaId": "BA48C450-201C-4398-AB65-EF6F95FB0380", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p10:*:*:*:*:*:*", "matchCriteriaId": "5F759114-CF2D-48BF-8D09-EBE8D1ED1949", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p11:*:*:*:*:*:*", "matchCriteriaId": "AE8BD950-24A2-4AFF-B7EE-6EE115BD75D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p12:*:*:*:*:*:*", "matchCriteriaId": "C43634F5-2946-44D2-8A50-B717374A8126", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p13:*:*:*:*:*:*", "matchCriteriaId": "20315895-5410-4B88-B2D9-E9C5D79A64DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p14:*:*:*:*:*:*", "matchCriteriaId": "BF405091-A832-4945-87EC-AA525F37DF91", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p15:*:*:*:*:*:*", "matchCriteriaId": "C9B6FFA8-CFD2-47C6-9475-79210CB9AA84", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p16:*:*:*:*:*:*", "matchCriteriaId": "964CA714-937C-4FC0-A1E9-07F846C786BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p17:*:*:*:*:*:*", "matchCriteriaId": "DAF8F155-1406-46ED-A81F-BCC4CE525F43", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p18:*:*:*:*:*:*", "matchCriteriaId": "56A8F56B-3457-4C19-B213-3B04FEE8D7A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p19:*:*:*:*:*:*", "matchCriteriaId": "B4F8D255-3F91-45FF-9133-4023BA688F9E", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p2:*:*:*:*:*:*", "matchCriteriaId": "37BC4DF5-D111-4295-94FC-AA8929CDF2A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p20:*:*:*:*:*:*", "matchCriteriaId": "A9D50108-0404-4791-8057-DB1786D311C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p21:*:*:*:*:*:*", "matchCriteriaId": "F2A7E53F-8EAC-4DA9-8EAE-117759EFABEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p22:*:*:*:*:*:*", "matchCriteriaId": "858727DB-AE6F-435D-B8FD-6C94C3400E40", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p3:*:*:*:*:*:*", "matchCriteriaId": "21768A61-7578-4EEC-A23B-FEC10CAA9EDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p4:*:*:*:*:*:*", "matchCriteriaId": "661403E7-1D65-4710-8413-47D74FF65BE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p5:*:*:*:*:*:*", "matchCriteriaId": "0695D2E0-45B3-493C-BA6D-471B90C0ACC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p6:*:*:*:*:*:*", "matchCriteriaId": "714FAFE6-68AE-4304-B040-48BC46F85A2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p7:*:*:*:*:*:*", "matchCriteriaId": "73FC2D2D-8BBD-4259-8B35-0D9BFA40567B", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p8:*:*:*:*:*:*", "matchCriteriaId": "AB97E9E6-CC4A-458D-B731-6D51130B942C", "vulnerable": true}, {"criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:p9:*:*:*:*:*:*", "matchCriteriaId": "BA688C43-846A-4C4A-AEDB-113D967D3D73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document."}, {"lang": "es", "value": "Se ha detectado un problema en el archivo ZmMailMsgView.js en el componente Calendar Invite en Zimbra Collaboration Suite versiones 8.8.x anteriores a 8.8.15 Patch 23. Un atacante podr\u00eda colocar HTML conteniendo JavaScript ejecutable dentro de los atributos de los elementos. Este marcado se convierte en no escape causando que un marcado arbitrario sea inyectado en el documento"}], "id": "CVE-2021-35208", "lastModified": "2024-11-21T06:12:03.543", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-02T19:15:08.417", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://blog.sonarsource.com/zimbra-webmail-compromise-via-email"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://blog.sonarsource.com/zimbra-webmail-compromise-via-email"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Security_Center"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 9BDCCB43-EBE0-4E5D-B2E1-E346A3694AB9 (string)

versionEndExcluding : 8.8.15 (string)

versionStartIncluding : 8.8 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:* (string)

matchCriteriaId : 1B17C1A7-0F0A-4E7C-8C0C-0BBB0BF66C82 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p1:*:*:*:*:*:* (string)

matchCriteriaId : BA48C450-201C-4398-AB65-EF6F95FB0380 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p10:*:*:*:*:*:* (string)

matchCriteriaId : 5F759114-CF2D-48BF-8D09-EBE8D1ED1949 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p11:*:*:*:*:*:* (string)

matchCriteriaId : AE8BD950-24A2-4AFF-B7EE-6EE115BD75D6 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p12:*:*:*:*:*:* (string)

matchCriteriaId : C43634F5-2946-44D2-8A50-B717374A8126 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p13:*:*:*:*:*:* (string)

matchCriteriaId : 20315895-5410-4B88-B2D9-E9C5D79A64DF (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p14:*:*:*:*:*:* (string)

matchCriteriaId : BF405091-A832-4945-87EC-AA525F37DF91 (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p15:*:*:*:*:*:* (string)

matchCriteriaId : C9B6FFA8-CFD2-47C6-9475-79210CB9AA84 (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p16:*:*:*:*:*:* (string)

matchCriteriaId : 964CA714-937C-4FC0-A1E9-07F846C786BD (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p17:*:*:*:*:*:* (string)

matchCriteriaId : DAF8F155-1406-46ED-A81F-BCC4CE525F43 (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p18:*:*:*:*:*:* (string)

matchCriteriaId : 56A8F56B-3457-4C19-B213-3B04FEE8D7A5 (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p19:*:*:*:*:*:* (string)

matchCriteriaId : B4F8D255-3F91-45FF-9133-4023BA688F9E (string)

vulnerable : true (boolean)

}

13 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p2:*:*:*:*:*:* (string)

matchCriteriaId : 37BC4DF5-D111-4295-94FC-AA8929CDF2A1 (string)

vulnerable : true (boolean)

}

14 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p20:*:*:*:*:*:* (string)

matchCriteriaId : A9D50108-0404-4791-8057-DB1786D311C8 (string)

vulnerable : true (boolean)

}

15 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p21:*:*:*:*:*:* (string)

matchCriteriaId : F2A7E53F-8EAC-4DA9-8EAE-117759EFABEF (string)

vulnerable : true (boolean)

}

16 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p22:*:*:*:*:*:* (string)

matchCriteriaId : 858727DB-AE6F-435D-B8FD-6C94C3400E40 (string)

vulnerable : true (boolean)

}

17 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p3:*:*:*:*:*:* (string)

matchCriteriaId : 21768A61-7578-4EEC-A23B-FEC10CAA9EDF (string)

vulnerable : true (boolean)

}

18 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p4:*:*:*:*:*:* (string)

matchCriteriaId : 661403E7-1D65-4710-8413-47D74FF65BE4 (string)

vulnerable : true (boolean)

}

19 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p5:*:*:*:*:*:* (string)

matchCriteriaId : 0695D2E0-45B3-493C-BA6D-471B90C0ACC5 (string)

vulnerable : true (boolean)

}

20 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p6:*:*:*:*:*:* (string)

matchCriteriaId : 714FAFE6-68AE-4304-B040-48BC46F85A2D (string)

vulnerable : true (boolean)

}

21 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p7:*:*:*:*:*:* (string)

matchCriteriaId : 73FC2D2D-8BBD-4259-8B35-0D9BFA40567B (string)

vulnerable : true (boolean)

}

22 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p8:*:*:*:*:*:* (string)

matchCriteriaId : AB97E9E6-CC4A-458D-B731-6D51130B942C (string)

vulnerable : true (boolean)

}

23 : { »

criteria : cpe:2.3:a:zimbra:collaboration:8.8.15:p9:*:*:*:*:*:* (string)

matchCriteriaId : BA688C43-846A-4C4A-AEDB-113D967D3D73 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. (string)

}

1 : { »

lang : es (string)

value : Se ha detectado un problema en el archivo ZmMailMsgView.js en el componente Calendar Invite en Zimbra Collaboration Suite versiones 8.8.x anteriores a 8.8.15 Patch 23. Un atacante podría colocar HTML conteniendo JavaScript ejecutable dentro de los atributos de los elementos. Este marcado se convierte en no escape causando que un marcado arbitrario sea inyectado en el documento (string)

}

]

id : CVE-2021-35208 (string)

lastModified : 2024-11-21T06:12:03.543 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : LOW (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : NONE (string)

baseScore : 3.5 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:S/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 6.8 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.4 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : LOW (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.3 (number)

impactScore : 2.7 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-07-02T19:15:08.417 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Exploit (string)

1 : Mitigation (string)

2 : Third Party Advisory (string)

]

url : https://blog.sonarsource.com/zimbra-webmail-compromise-via-email (string)

}

1 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

1 : Vendor Advisory (string)

]

url : https://wiki.zimbra.com/wiki/Security_Center (string)

}

2 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

1 : Vendor Advisory (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 (string)

}

3 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

1 : Vendor Advisory (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 (string)

}

4 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Mitigation (string)

2 : Third Party Advisory (string)

]

url : https://blog.sonarsource.com/zimbra-webmail-compromise-via-email (string)

}

6 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

1 : Vendor Advisory (string)

]

url : https://wiki.zimbra.com/wiki/Security_Center (string)

}

7 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

1 : Vendor Advisory (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23 (string)

}

8 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

1 : Vendor Advisory (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16 (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object