CVE-2024-45517

MEDIUM

Zimbra Collaboration Suite < 8.8.15 - Cross-Site Scripting via /h/rest Endpoint

Title source: llm
STIX 2.1

Description

An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL.

Scores

CVSS v3 5.4
EPSS 0.0053
EPSS Percentile 41.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
synacor/zimbra_collaboration_suite 8.8.15 (47 CPE variants)
synacor/zimbra_collaboration_suite 9.0.0 (3 CPE variants)
Published Nov 21, 2024
Tracked Since Feb 18, 2026