Zimbra has issued an urgent call for customers to patch a critical security flaw in its Classic Web Client that could let attackers execute arbitrary code through specially crafted emails. The vulnerability is a stored cross-site scripting (XSS) issue, where a malicious email, when opened by a user, can run scripts in their session. This could expose mailbox data, session tokens, and account settings to an attacker.
How the Attack Works
Stored XSS vulnerabilities occur when an application improperly handles untrusted data, allowing attackers to inject persistent JavaScript into a database. In this case, the malicious script is embedded within an email and stored on the server. Any user who opens the email triggers the script in their browser, potentially leading to session hijacking, credential theft, or full account takeover. While Zimbra has not reported active exploitation of this specific flaw, the company acknowledges its high potential for abuse.
Impact and Recommended Action
Zimbra has a history of being targeted for XSS flaws, with prior CVEs such as CVE-2025-27915, CVE-2023-37580, and CVE-2024-27443 being exploited or alleged to have been exploited in the wild. Although this latest vulnerability has not yet received a CVE identifier, Zimbra recommends all users update to Zimbra Collaboration Suite version 10.1.19 to mitigate the risk. Given the severity of stored XSS in an email platform, administrators should prioritize this update to prevent potential data breaches.
Source: The Hacker News
