CVE-2022-41350

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite version 8.8.15

Description The issue allows for the execution of arbitrary JavaScript on the victim's machine due to a Reflected XSS vulnerability. This is caused by the /h/search?action=voicemail&action=listen endpoint accepting a phone parameter that is not properly sanitized.

Recommendations For Zimbra Collaboration Suite version 8.8.15, as a temporary workaround, consider restricting access to the /h/search?action=voicemail&action=listen endpoint until a patch is available. Avoid using the phone parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.