Main Vulnerability Database Vulnerabilities #VU126624

Cross-site scripting in Zimbra Collaboration - #VU126624

Published: December 17, 2024 / Updated: April 21, 2026

Vulnerability identifier: #VU126624

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Synacor Inc.

Affected software:
Zimbra Collaboration

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in Zimbra Classic UI when rendering crafted HTML content. A remote attacker can send crafted HTML content to execute arbitrary script in the victim's browser.

User interaction is required to view the crafted HTML content.

Remediation

Install security update from vendor's website.

Sources

https://wiki.zimbra.com/wiki/Security_Center#ZCS_8.8.15_Patch_47_Released
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P47#Security_Fixes

Cross-site scripting in Zimbra Collaboration - #VU126624

Detailed vulnerability description

Remediation

Sources

Please verify you're human