CVE-2024-45517
MEDIUMZimbra Collaboration Suite < 8.8.15 - Cross-Site Scripting via /h/rest Endpoint
Title source: llmDescription
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL.
References (6)
Core 6
Core References
Vendor Advisory
https://wiki.zimbra.com/wiki/Security_Center
Scores
CVSS v3
5.4
EPSS
0.0053
EPSS Percentile
41.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
synacor/zimbra_collaboration_suite
8.8.15 (47 CPE variants)
synacor/zimbra_collaboration_suite
9.0.0 (3 CPE variants)
Published
Nov 21, 2024
Tracked Since
Feb 18, 2026