Security News > 2023 > July > Zimbra Collaboration Suite warning: Patch this 0-day right now (by hand)!
Popular collaboration product Zimbra has warned customers to apply a software patch urgently to close a security hole that it says "Could potentially impact the confidentiality and integrity of your data."
The vulnerability is what's known as an XSS bug, short for cross-site scripting, whereby performing an innocent-looking operation via site X, such as clicking through to site Y, gives the operator of site X a sneaky chance to implant rogue JavaScript code into the web pages that your browser receives back from Y. This, in turn, means that X may end up with access to your account on site Y, by reading out and perhaps even modifying data that would otherwise be private to Y, such as your account details, login cookies, authentication tokens, transaction history, and so on.
The patch turns out to be urgent enough to be needed right away, because it was spotted in a real-life cyberattack by a security researcher at Google.
Zimbra has therefore warned its customers to apply the fix themselves by hand, which requires a single-line edit to a single data file in the product's installation directory.
Simply put, XSS attacks usually involve tricking a server into generating a web page that trustingly includes data submitted from outside, without checking that the data is safe to send directly to the user's browser.
Incidentally, the one-line patch you're urged to apply in the Zimbra product directory involves changing an item in a built-in web form from this.