CVE-2024-45510

MEDIUM

Zimbra Collaboration Suite < 9.0.0 - Stored Cross-Site Scripting via Contact List

Title source: llm
STIX 2.1

Description

An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list. This can lead to unauthorized actions such as arbitrary mail sending, mailbox exfiltration, profile picture alteration, and other malicious actions. Proper sanitization and escaping of input fields are necessary to mitigate this vulnerability.

Scores

CVSS v3 5.4
EPSS 0.0031
EPSS Percentile 23.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
synacor/zimbra_collaboration_suite 9.0.0 (42 CPE variants)
synacor/zimbra_collaboration_suite < 9.0.0
Published Nov 20, 2024
Tracked Since Feb 18, 2026