CVE-2024-45514

MEDIUM

Zimbra Collaboration Suite < 8.8.15 - Cross-Site Scripting via Packaged Parameter

Title source: llm
STIX 2.1

Description

An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim's session.

Scores

CVSS v3 5.4
EPSS 0.0065
EPSS Percentile 46.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
synacor/zimbra_collaboration_suite 8.8.15 (47 CPE variants)
synacor/zimbra_collaboration_suite 9.0.0 (3 CPE variants)
Published Nov 21, 2024
Tracked Since Feb 18, 2026