Zimbra · Zimbra Collaboration · CVE-2023-48432
**Name of the Vulnerable Software and Affected Versions**
Zimbra Collaboration (ZCS) versions 8.8.15 through 10.0
**Description**
An issue was discovered in Zimbra Collaboration, where XSS, with resultant session stealing, can occur via JavaScript code in a link within an email message. This happens when a victim clicks on the link within Zimbra webmail, specifically targeting a webmail redirection endpoint.
**Recommendations**
For versions 8.8.15, 9.0, and 10.0, consider disabling JavaScript execution for links within email messages as a temporary workaround until a patch is available. Restrict access to webmail redirection endpoints to minimize the risk of exploitation.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.