Sk4Nd4

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration (ZCS) versions prior to 10.0.4 Zimbra Collaboration (ZCS) versions 8.8.15 before Patch 43 Zimbra Collaboration (ZCS) versions 9.0.0 before Patch 36 **Description** An issue was discovered in Zimbra Collaboration, allowing an XSS issue to be exploited and potentially granting access to the mailbox of an authenticated user. **Recommendations** For versions prior to 10.0.4, update to version 10.0.4 or later. For versions 8.8.15, apply Patch 43 or later. For versions 9.0.0, apply Patch 36 or later.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration versions prior to 10.0.4 Zimbra Collaboration versions 8.8.15 before Patch 43 Zimbra Collaboration versions 9.0.0 before Patch 36 **Description** An XSS issue was discovered in a web endpoint in Zimbra Collaboration via an unsanitized parameter. **Recommendations** For Zimbra Collaboration versions prior to 10.0.4, update to version 10.0.4 or later. For Zimbra Collaboration versions 8.8.15, apply Patch 43 or later. For Zimbra Collaboration versions 9.0.0, apply Patch 36 or later.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration (ZCS) versions prior to 10.0.3 Zimbra Collaboration (ZCS) versions 9.0.0 before Patch 35 Zimbra Collaboration (ZCS) versions 8.8.15 before Patch 42 **Description** An issue was discovered in Zimbra Collaboration, allowing an attacker to gain access to a Zimbra account. **Recommendations** For versions prior to 10.0.3, update to version 10.0.3 or later. For versions 9.0.0, apply Patch 35 or later. For versions 8.8.15, apply Patch 42 or later.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration (ZCS) version 9.0 **Description** An issue was discovered in the Classic UI login page where XSS can occur by injecting arbitrary JavaScript code in the `username` field. This occurs before the user logs into the system, which means that even if the attacker executes arbitrary JavaScript, they will not get any sensitive information. **Recommendations** For Zimbra Collaboration (ZCS) version 9.0, as a temporary workaround, consider restricting access to the Classic UI login page until a patch is available. Avoid using the `username` field in the affected login page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration (ZCS) version 9.0 **Description** An issue was discovered in Zimbra Collaboration where XSS can occur via one of the attributes in webmail URLs, allowing the execution of arbitrary JavaScript code and leading to information disclosure. **Recommendations** For Zimbra Collaboration (ZCS) version 9.0, consider restricting access to webmail URLs to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using attributes in webmail URLs that could lead to the execution of arbitrary JavaScript code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.