Zimbra Collaboration Stored Cross-Site Scripting Vulnerability in Classic Web Client

A stored cross-site scripting vulnerability has been identified in Zimbra Collaboration (ZCS) versions 9.0.0, 10.0.0, and 10.1.0. This vulnerability arises from inadequate sanitization of HTML content in ICS files within the Classic Web Client. When a user views an email containing a malicious ICS entry, the embedded JavaScript is executed via an ontoggle event within a <details> tag. This exploitation allows an attacker to run arbitrary JavaScript in the victim's session, potentially leading to unauthorized actions such as redirecting emails to an attacker-controlled address.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the email or calendar event.

Reproduction

To reproduce this vulnerability, send an email to a user with an ICS attachment that contains malicious JavaScript. When the user opens the email and interacts with the ICS entry, the JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to ZCS versions 10.1.5 or 10.0.14, both released on January 27, 2025, or to ZCS 9.0.0 Patch 44, also released on January 27, 2025. Instructions for upgrading can be found on the Zimbra website.