{"id":10248,"date":"2025-06-25T15:19:34","date_gmt":"2025-06-25T08:19:34","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10248"},"modified":"2026-02-03T15:20:59","modified_gmt":"2026-02-03T08:20:59","slug":"lo-hong-zimbra-classic-web-client-cho-phep-thuc-thi-ma-javascript","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/06\/25\/lo-hong-zimbra-classic-web-client-cho-phep-thuc-thi-ma-javascript\/","title":{"rendered":"L\u1ed7 h\u1ed5ng Zimbra Classic Web Client cho ph\u00e9p th\u1ef1c thi m\u00e3 JavaScript"},"content":{"rendered":"<p data-start=\"136\" data-end=\"594\">M\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt m\u1ee9c \u0111\u1ed9 cao v\u1eeba \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh trong Zimbra Classic Web Client, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng ch\u00e8n v\u00e0 th\u1ef1c thi m\u00e3 JavaScript t\u00f9y \u00fd th\u00f4ng qua h\u00ecnh th\u1ee9c Stored Cross-Site Scripting (XSS). L\u1ed7 h\u1ed5ng n\u00e0y \u0111\u01b0\u1ee3c g\u00e1n m\u00e3 CVE-2025-27915 v\u00e0 hi\u1ec7n \u0111ang \u0111\u01b0\u1ee3c c\u00e1c chuy\u00ean gia an ninh m\u1ea1ng \u0111\u00e1nh gi\u00e1 l\u00e0 m\u1ed1i \u0111e d\u1ecda nghi\u00eam tr\u1ecdng, c\u00f3 th\u1ec3 b\u1ecb l\u1ee3i d\u1ee5ng \u0111\u1ec3 chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t t\u00e0i kho\u1ea3n email, \u0111\u00e1nh c\u1eafp th\u00f4ng tin nh\u1ea1y c\u1ea3m c\u0169ng nh\u01b0 ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c trong h\u1ec7 th\u1ed1ng.<\/p>\n<p data-start=\"136\" data-end=\"594\"><img fetchpriority=\"high\" decoding=\"async\" class=\" wp-image-10249 aligncenter\" src=\"https:\/\/infosec.new88088.net\/wp-content\/uploads\/sites\/20\/2026\/02\/zimbra-300x167.png\" alt=\"\" width=\"677\" height=\"377\" srcset=\"https:\/\/infosec.new88088.net\/wp-content\/uploads\/sites\/20\/2026\/02\/zimbra-300x167.png 300w, https:\/\/infosec.new88088.net\/wp-content\/uploads\/sites\/20\/2026\/02\/zimbra.png 700w\" sizes=\"(max-width: 677px) 100vw, 677px\" \/><\/p>\n<p data-start=\"596\" data-end=\"1060\">So v\u1edbi c\u00e1c d\u1ea1ng XSS ph\u1ea3n x\u1ea1 (reflected XSS) v\u1ed1n ch\u1ec9 k\u00edch ho\u1ea1t khi ng\u01b0\u1eddi d\u00f9ng t\u01b0\u01a1ng t\u00e1c v\u1edbi m\u1ed9t li\u00ean k\u1ebft \u0111\u1ed9c h\u1ea1i, Stored XSS nguy hi\u1ec3m h\u01a1n \u0111\u00e1ng k\u1ec3 do m\u00e3 \u0111\u1ed9c \u0111\u01b0\u1ee3c l\u01b0u tr\u1ef1c ti\u1ebfp tr\u00ean m\u00e1y ch\u1ee7. \u0110i\u1ec1u n\u00e0y \u0111\u1ed3ng ngh\u0129a v\u1edbi vi\u1ec7c m\u1ed7i l\u1ea7n ng\u01b0\u1eddi d\u00f9ng truy c\u1eadp v\u00e0o n\u1ed9i dung \u0111\u00e3 b\u1ecb nhi\u1ec5m, \u0111o\u1ea1n m\u00e3 JavaScript \u0111\u1ed9c h\u1ea1i s\u1ebd t\u1ef1 \u0111\u1ed9ng \u0111\u01b0\u1ee3c tr\u00ecnh duy\u1ec7t th\u1ef1c thi m\u00e0 kh\u00f4ng c\u1ea7n b\u1ea5t k\u1ef3 thao t\u00e1c b\u1ed5 sung n\u00e0o. Ch\u00ednh \u0111\u1eb7c \u0111i\u1ec3m n\u00e0y khi\u1ebfn CVE-2025-27915 tr\u1edf th\u00e0nh m\u1ed9t l\u1ed7 h\u1ed5ng c\u1ea7n \u0111\u01b0\u1ee3c x\u1eed l\u00fd kh\u1ea9n c\u1ea5p.<\/p>\n<p data-start=\"1062\" data-end=\"1529\">Theo k\u1ebft qu\u1ea3 ph\u00e2n t\u00edch k\u1ef9 thu\u1eadt, nguy\u00ean nh\u00e2n g\u1ed1c r\u1ec5 c\u1ee7a v\u1ea5n \u0111\u1ec1 n\u1eb1m \u1edf c\u01a1 ch\u1ebf ki\u1ec3m tra v\u00e0 l\u00e0m s\u1ea1ch d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o trong giao di\u1ec7n Classic c\u1ee7a Zimbra ch\u01b0a \u0111\u1ee7 nghi\u00eam ng\u1eb7t. K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 l\u1ee3i d\u1ee5ng \u0111i\u1ec3m y\u1ebfu n\u00e0y \u0111\u1ec3 ch\u00e8n c\u00e1c \u0111o\u1ea1n JavaScript \u0111\u1ed9c h\u1ea1i v\u00e0o nh\u1eefng tr\u01b0\u1eddng nh\u1eadp li\u1ec7u m\u00e0 h\u1ec7 th\u1ed1ng kh\u00f4ng th\u1ef1c hi\u1ec7n m\u00e3 h\u00f3a ho\u1eb7c lo\u1ea1i b\u1ecf an to\u00e0n. Khi d\u1eef li\u1ec7u n\u00e0y \u0111\u01b0\u1ee3c hi\u1ec3n th\u1ecb cho ng\u01b0\u1eddi d\u00f9ng kh\u00e1c, tr\u00ecnh duy\u1ec7t s\u1ebd coi \u0111\u00f3 l\u00e0 n\u1ed9i dung h\u1ee3p l\u1ec7 v\u00e0 th\u1ef1c thi m\u00e3 \u0111\u1ed9c nh\u01b0 m\u1ed9t ph\u1ea7n c\u1ee7a \u1ee9ng d\u1ee5ng.<\/p>\n<p data-start=\"1531\" data-end=\"1881\">N\u1ebfu b\u1ecb khai th\u00e1c th\u00e0nh c\u00f4ng, l\u1ed7 h\u1ed5ng CVE-2025-27915 c\u00f3 th\u1ec3 g\u00e2y ra nhi\u1ec1u h\u1ec7 qu\u1ea3 nghi\u00eam tr\u1ecdng. Tin t\u1eb7c c\u00f3 th\u1ec3 \u0111\u00e1nh c\u1eafp cookie phi\u00ean l\u00e0m vi\u1ec7c \u0111\u1ec3 chi\u1ebfm quy\u1ec1n truy c\u1eadp v\u00e0o t\u00e0i kho\u1ea3n email, gi\u1ea3 m\u1ea1o h\u00e0nh vi ng\u01b0\u1eddi d\u00f9ng, theo d\u00f5i n\u1ed9i dung trao \u0111\u1ed5i ho\u1eb7c th\u1eadm ch\u00ed tri\u1ec3n khai c\u00e1c chi\u1ebfn d\u1ecbch phishing tinh vi ngay trong h\u1ec7 th\u1ed1ng email n\u1ed9i b\u1ed9 c\u1ee7a t\u1ed5 ch\u1ee9c n\u1ea1n nh\u00e2n.<\/p>\n<p data-start=\"1883\" data-end=\"2261\">C\u00e1c phi\u00ean b\u1ea3n Zimbra Classic Web Client b\u1ecb \u1ea3nh h\u01b0\u1edfng bao g\u1ed3m nh\u1eefng b\u1ea3n ph\u00e1t h\u00e0nh tr\u01b0\u1edbc Zimbra 9.0.0 Patch 46, 10.0.15 v\u00e0 10.1.9. Nh\u1eefng phi\u00ean b\u1ea3n n\u00e0y ch\u01b0a \u0111\u01b0\u1ee3c trang b\u1ecb \u0111\u1ea7y \u0111\u1ee7 c\u00e1c bi\u1ec7n ph\u00e1p ph\u00f2ng v\u1ec7 hi\u1ec7n \u0111\u1ea1i nh\u01b0 m\u00e3 h\u00f3a \u0111\u1ea7u ra (output encoding) hi\u1ec7u qu\u1ea3 ho\u1eb7c ch\u00ednh s\u00e1ch b\u1ea3o m\u1eadt n\u1ed9i dung (Content Security Policy \u2013 CSP) \u0111\u1ee7 m\u1ea1nh \u0111\u1ec3 ng\u0103n ch\u1eb7n h\u00e0nh vi ch\u00e8n v\u00e0 th\u1ef1c thi m\u00e3 \u0111\u1ed9c.<\/p>\n<p data-start=\"2263\" data-end=\"2507\">Trong b\u1ed1i c\u1ea3nh Zimbra \u0111ang \u0111\u01b0\u1ee3c tri\u1ec3n khai r\u1ed9ng r\u00e3i t\u1ea1i nhi\u1ec1u t\u1ed5 ch\u1ee9c tr\u00ean to\u00e0n th\u1ebf gi\u1edbi, \u0111\u1eb7c bi\u1ec7t trong m\u00f4i tr\u01b0\u1eddng doanh nghi\u1ec7p v\u00e0 c\u00e1c c\u01a1 quan nh\u00e0 n\u01b0\u1edbc, l\u1ed7 h\u1ed5ng n\u00e0y ti\u1ec1m \u1ea9n nguy c\u01a1 b\u1ecb khai th\u00e1c tr\u00ean di\u1ec7n r\u1ed9ng n\u1ebfu kh\u00f4ng \u0111\u01b0\u1ee3c kh\u1eafc ph\u1ee5c k\u1ecbp th\u1eddi.<\/p>\n<p data-start=\"2509\" data-end=\"2954\">\u0110\u1ec3 \u1ee9ng ph\u00f3, Zimbra \u0111\u00e3 nhanh ch\u00f3ng ph\u00e1t h\u00e0nh c\u00e1c b\u1ea3n v\u00e1 b\u1ea3o m\u1eadt cho ba d\u00f2ng s\u1ea3n ph\u1ea9m ch\u00ednh, bao g\u1ed3m Zimbra 9.0.0 Patch 46, 10.0.15 v\u00e0 10.1.9. Nh\u1eefng b\u1ea3n c\u1eadp nh\u1eadt n\u00e0y kh\u00f4ng ch\u1ec9 c\u1ea3i thi\u1ec7n quy tr\u00ecnh ki\u1ec3m so\u00e1t d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o, m\u00e0 c\u00f2n b\u1ed5 sung c\u01a1 ch\u1ebf ph\u00e2n t\u00edch HTML n\u00e2ng cao, t\u0103ng c\u01b0\u1eddng l\u1ecdc n\u1ed9i dung c\u1ea3 \u1edf chi\u1ec1u nh\u1eadp v\u00e0 xu\u1ea5t, \u0111\u1ed3ng th\u1eddi \u0111i\u1ec1u ch\u1ec9nh c\u1ea5u h\u00ecnh c\u1ee7a m\u00e1y ch\u1ee7 web Jetty \u2013 th\u00e0nh ph\u1ea7n quan tr\u1ecdng trong ki\u1ebfn tr\u00fac giao di\u1ec7n ng\u01b0\u1eddi d\u00f9ng c\u1ee7a Zimbra.<\/p>\n<p data-start=\"2956\" data-end=\"3269\" data-is-last-node=\"\" data-is-only-node=\"\">C\u00e1c qu\u1ea3n tr\u1ecb vi\u00ean h\u1ec7 th\u1ed1ng \u0111\u01b0\u1ee3c khuy\u1ebfn c\u00e1o tri\u1ec3n khai b\u1ea3n v\u00e1 c\u00e0ng s\u1edbm c\u00e0ng t\u1ed1t, \u0111\u1ed3ng th\u1eddi ti\u1ebfn h\u00e0nh r\u00e0 so\u00e1t to\u00e0n b\u1ed9 c\u00e1c \u0111i\u1ec3m nh\u1eadp li\u1ec7u trong \u1ee9ng d\u1ee5ng, ki\u1ec3m tra k\u1ef9 c\u00e1c \u0111o\u1ea1n m\u00e3 t\u00f9y ch\u1ec9nh v\u00e0 \u00e1p d\u1ee5ng ch\u00ednh s\u00e1ch ki\u1ec3m so\u00e1t n\u1ed9i dung ch\u1eb7t ch\u1ebd h\u01a1n nh\u1eb1m gi\u1ea3m thi\u1ec3u nguy c\u01a1 x\u1ea3y ra c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng t\u01b0\u01a1ng t\u1ef1 trong t\u01b0\u01a1ng lai.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt m\u1ee9c \u0111\u1ed9 cao v\u1eeba \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh trong Zimbra Classic Web Client, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng ch\u00e8n v\u00e0 th\u1ef1c thi m\u00e3 JavaScript t\u00f9y \u00fd th\u00f4ng qua h\u00ecnh th\u1ee9c Stored Cross-Site Scripting (XSS). L\u1ed7 h\u1ed5ng n\u00e0y \u0111\u01b0\u1ee3c g\u00e1n m\u00e3 CVE-2025-27915 v\u00e0 hi\u1ec7n \u0111ang \u0111\u01b0\u1ee3c c\u00e1c chuy\u00ean gia an ninh m\u1ea1ng [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10248","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10248"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10248\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}