Zimbra Classic Web Client Vulnerability Allows Code Execution via Malicious Emails

A stored XSS vulnerability in Zimbra's Classic Web Client lets attackers execute malicious code when a user opens a specially crafted email, risking session data and account compromise.

CSBadmin
2 Min Read

Zimbra has issued an urgent call for customers to patch a critical security flaw in its Classic Web Client that could let attackers execute arbitrary code through specially crafted emails. The vulnerability is a stored cross-site scripting (XSS) issue, where a malicious email, when opened by a user, can run scripts in their session. This could expose mailbox data, session tokens, and account settings to an attacker.

How the Attack Works

Stored XSS vulnerabilities occur when an application improperly handles untrusted data, allowing attackers to inject persistent JavaScript into a database. In this case, the malicious script is embedded within an email and stored on the server. Any user who opens the email triggers the script in their browser, potentially leading to session hijacking, credential theft, or full account takeover. While Zimbra has not reported active exploitation of this specific flaw, the company acknowledges its high potential for abuse.

Zimbra has a history of being targeted for XSS flaws, with prior CVEs such as CVE-2025-27915, CVE-2023-37580, and CVE-2024-27443 being exploited or alleged to have been exploited in the wild. Although this latest vulnerability has not yet received a CVE identifier, Zimbra recommends all users update to Zimbra Collaboration Suite version 10.1.19 to mitigate the risk. Given the severity of stored XSS in an email platform, administrators should prioritize this update to prevent potential data breaches.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.