Zimbra Collaboration Stored Cross-Site Scripting Vulnerability in Classic Web Client

A stored cross-site scripting vulnerability has been identified in the Zimbra Collaboration (ZCS) Classic Web Client, specifically in versions 8.8.15, 9.0, 10.0, and 10.1. This vulnerability allows attackers to inject and execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. The issue stems from inadequate sanitization of HTML content, particularly in crafted email messages viewed in the Classic UI, and can be exploited without any additional user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user’s session.

Reproduction

To reproduce this vulnerability, send an email containing crafted HTML that exploits the lack of proper sanitization, specifically using tag structures and attribute values that include an @import directive or other script injection vectors. Once the email is received, view it in the Zimbra Classic Web Client. The injected JavaScript will execute within the user's session, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to ZCS versions 9.0.0 Patch 45, 10.0.14, or 10.1.6, all of which include the necessary security fix.