CVE-2024-45516
MEDIUMZimbra Collaboration Suite 8.8.15-9.0.0, 10.0.0-10.0.11, 10.1.0-10.1.3 - Stored XSS via IMG Tag
Title source: llmDescription
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.
References (4)
Core 4
Core References
Vendor Advisory
https://wiki.zimbra.com/wiki/Security_Center
Vendor Advisory
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Scores
CVSS v3
6.1
EPSS
0.0034
EPSS Percentile
26.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
synacor/zimbra_collaboration_suite
8.8.15 (48 CPE variants)
synacor/zimbra_collaboration_suite
9.0.0 (2 CPE variants)
Published
May 14, 2025
Tracked Since
Feb 18, 2026