CVE-2024-45511

MEDIUM

Zimbra Collaboration Suite < 10.0.9 - Reflected Cross-Site Scripting via OnlyOffice Formatter

Title source: llm
STIX 2.1

Description

An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A reflected Cross-Site Scripting (XSS) issue exists through the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing to a shared folder containing a malicious file uploaded by the attacker. The vulnerability allows the attacker to execute arbitrary JavaScript in the context of the victim's session.

Scores

CVSS v3 5.4
EPSS 0.0031
EPSS Percentile 23.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
synacor/zimbra_collaboration_suite 10.1.0
synacor/zimbra_collaboration_suite < 10.0.9
Published Nov 20, 2024
Tracked Since Feb 18, 2026