Name of the Vulnerable Software and Affected Versions:

Zimbra Collaboration Suite (ZCS) versions through 10.1

Description:

The issue exists due to inadequate protection of the web page structure in the Briefcase Module of the Zimbra Collaboration Suite (ZCS). An attacker can exploit this by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser, leading to unauthorized actions within the victim's session. This is a stored Cross-Site Scripting (XSS) vulnerability.

Recommendations:

For Zimbra Collaboration Suite (ZCS) versions through 10.1, update to Zimbra Daffodil (v10.1.1) or later to fix the Stored Cross-Site Scripting (XSS) vulnerability in the Briefcase module.

As a temporary workaround, consider restricting access to the Briefcase module until a patch is applied.