Stephan Kaag

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration Suite (ZCS) versions 8.7 before Patch 1 through 8.8.x before 8.8.7 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function. This vulnerability might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. The exploitation of this vulnerability can enable a remote attacker to execute arbitrary code by sending a specially crafted email containing a Content-Location header. **Recommendations** For Zimbra Collaboration Suite (ZCS) versions 8.7 before Patch 1, update to at least Patch 1. For Zimbra Collaboration Suite (ZCS) versions 8.8.x before 8.8.7, update to at least version 8.8.7. As a temporary workaround, consider restricting access to email attachments with Content-Location headers until a patch is applied.