CVE-2024-45514
MEDIUMZimbra Collaboration Suite < 8.8.15 - Cross-Site Scripting via Packaged Parameter
Title source: llmDescription
An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim's session.
References (6)
Core 6
Core References
Vendor Advisory
https://wiki.zimbra.com/wiki/Security_Center
Scores
CVSS v3
5.4
EPSS
0.0065
EPSS Percentile
46.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
synacor/zimbra_collaboration_suite
8.8.15 (47 CPE variants)
synacor/zimbra_collaboration_suite
9.0.0 (3 CPE variants)
Published
Nov 21, 2024
Tracked Since
Feb 18, 2026