CVE-2020-11737

Name of the Vulnerable Software and Affected Versions Zimbra versions 9.0 through 9.0.0 Patch 1

Description A cross-site scripting (XSS) issue in the Web Client of Zimbra allows a remote attacker to execute arbitrary JavaScript by crafting links in an email message or calendar invite. The attack requires an A element containing an href attribute with a "www" substring followed immediately by a DOM event listener such as onmouseover.

Recommendations For Zimbra versions 9.0 through 9.0.0 Patch 1, update to 9.0.0 Patch 2 to resolve the issue. As a temporary workaround, consider restricting the use of the Web Client in Zimbra until the patch is applied. Avoid using the href attribute with a "www" substring in links within email messages or calendar invites until the issue is resolved.