Zimbra Collaboration Cross-Site Scripting Vulnerability in Classic UI

A Cross-Site Scripting (XSS) vulnerability has been identified in Zimbra Collaboration (ZCS) versions 9.0.0 prior to Patch 43, 10.0.x prior to 10.0.12, 10.1.x prior to 10.1.4, and 8.8.15 prior to Patch 47. This vulnerability allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. The issue stems from inadequate sanitization of HTML content, particularly malformed <img> tags containing embedded JavaScript. Exploitation occurs when a user views a specially crafted email in the Classic UI, without requiring any additional interaction.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting, where an attacker can execute malicious scripts in the context of the user's session.

Remediation

Users can upgrade to Zimbra Collaboration versions 10.1.4, 10.0.12, or 8.8.15 Patch 47. Instructions for upgrading to version 10.1.4 are available on the Zimbra Wiki.