Vulnerability detail
Enriched intelligence for a single CVE
Medium
CVE-2018-6882
PUBLISHEDCross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1...
- Vendor
- Zimbra
- Product
- Collaboration Suite
- Published
- Mar 27, 2018
- EPSS
- —
Description
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AV:N/AC:M/Au:N/C:N/I:P/A:N
SSVC decision points
- Exploitation
- active
- Automatable
- No
- Technical impact
- partial
References
- http://seclists.org/fulldisclosure/2018/Mar/52
- https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7
- https://bugzilla.zimbra.com/show_bug.cgi?id=108786
- http://www.securityfocus.com/archive/1/541891/100/0/threaded
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Apr 19, 2022 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-6882.yaml | Jun 01, 2026 |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Exploit Used in Malware
-
Added to KEVIntel
-
Detected by Nuclei