CVE-2023-37580

ENISA EUVD: EUVD-2023-41465 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: May 23, 2026 4 articles Published: 2023-07-31

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

93.92%

probability

This CVE has a 93.92% probability of being exploited in the next 30 days.

0% Top 99.9th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

6.1

MEDIUM

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

VulnerabilityLookup (CNA)

Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.

Affected Products

n/a

synacor

zimbra collaboration suite

n/a

Attack Intelligence

CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79 · Cross-site Scripting

Google Project Zero

Discovered

June 29, 2023

Patched

July 26, 2023

Reported by

Clement Lecigne of the Google Threat Analysis Group

Root Cause Analysis

???

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

http://www.openwall.com/lists/oss-security/2023/11/17/2

mailing-list

Signal Intelligence

Confidenceⓘ

95%

EPSS 93.92%

CVSS v3.1 6.1

Mentions 4

Last Seen Nov 17, 2023

CNA Information

CNA Assigner

mitre

Analyst Note

Auto-confirmed: présent dans Google Project Zero

Triage Info

Decided atMay 23, 2026

Published DateJul 31, 2023