CVE-2023-24031

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration (ZCS) versions 8.8.15 through 9.0

Description An issue in Zimbra Collaboration allows for cross-site scripting (XSS) attacks. This can occur via one of the attributes of the webmail "/h/" endpoint, enabling the execution of arbitrary JavaScript code and leading to information disclosure. The vulnerability exists due to inadequate protection of the web page structure, which can be exploited by a remote attacker to conduct an XSS attack.

Recommendations For Zimbra Collaboration (ZCS) versions 8.8.15 through 9.0, consider disabling access to the "/h/" endpoint as a temporary workaround until a patch is available. Restrict the use of attributes that can lead to XSS attacks in the webmail interface to minimize the risk of exploitation.