Marco Ortisi

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration (ZCS) versions 8.8.15 through 9.0 **Description** An issue in Zimbra Collaboration allows for cross-site scripting (XSS) attacks. This can occur via one of the attributes of the webmail "/h/" endpoint, enabling the execution of arbitrary JavaScript code and leading to information disclosure. The vulnerability exists due to inadequate protection of the web page structure, which can be exploited by a remote attacker to conduct an XSS attack. **Recommendations** For Zimbra Collaboration (ZCS) versions 8.8.15 through 9.0, consider disabling access to the "/h/" endpoint as a temporary workaround until a patch is available. Restrict the use of attributes that can lead to XSS attacks in the webmail interface to minimize the risk of exploitation.