CVE-2024-33533 to 33536: Zimbra Users at Risk of XSS and LFI Attacks
Zimbra Collaboration, a widely adopted email and collaboration platform disclosed three new security vulnerabilities. These flaws, identified as CVE-2024-33533, CVE-2024-33535, and CVE-2024-33536, impact Zimbra Collaboration versions 9.0 and 10.0, potentially exposing users to cross-site scripting (XSS) and local file inclusion (LFI) attacks.
Technical Breakdown of the Vulnerabilities:
- CVE-2024-33533: This vulnerability resides in the Zimbra webmail admin interface, stemming from inadequate input validation of the ‘packages’ parameter. A successful exploit could enable an authenticated attacker to inject and execute malicious JavaScript code within the context of another user’s browser session.
- CVE-2024-33535: This flaw pertains to unauthenticated local file inclusion within a web application, specifically linked to the handling of the ‘packages’ parameter. An attacker could leverage this vulnerability to include arbitrary local files without authentication, potentially granting unauthorized access to sensitive information within a defined directory.
- CVE-2024-33536: This vulnerability also involves reflected XSS, arising from insufficient input validation of the ‘res’ parameter. Similar to CVE-2024-33533, a successful exploit could allow an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user’s browser session.
Historical Context of Zimbra Vulnerabilities
While there is currently no evidence of active exploitation of these specific vulnerabilities, Zimbra Collaboration has historically been a target for malicious actors. The platform’s widespread use and the potential impact of successful attacks make it an attractive target. Recent examples of Zimbra-related security incidents include:
- August 2022: CISA added the Zimbra CVE-2022-27924 flaw as ‘Known Exploited,’ highlighting active exploitation by hackers.
- October 2022: A RCE vulnerability (CVE-2022-41352) in Zimbra is actively exploited.
- March 2023: The Russian hacking group TA473 leverages vulnerabilities in unpatched Zimbra endpoints to exfiltrate emails from high-profile targets.
- November 2023: Google’s Threat Analysis Group (TAG) uncovers the exploitation of a zero-day vulnerability (CVE-2023-37580) in Zimbra, leading to sensitive data theft from government systems.
Immediate Action Required
Given Zimbra’s track record and the potential severity of these new vulnerabilities, organizations utilizing Zimbra Collaboration are strongly urged to apply the latest security patches without delay. Failure to address these flaws could result in data breaches, system compromise, and significant operational disruption.