CVE-2024-45510

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration (ZCS) versions through 10.0

Description: A stored Cross-Site Scripting (XSS) attack is possible due to improper sanitization of user input in Zimbra Webmail (Modern UI). This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list, potentially leading to unauthorized actions such as arbitrary mail sending, mailbox exfiltration, profile picture alteration, and other malicious actions.

Recommendations: For Zimbra Collaboration (ZCS) versions through 10.0, update to Zimbra Daffodil (v10.1.1) or later to fix the stored XSS vulnerability. As a temporary workaround, consider disabling the contact addition feature in Zimbra Webmail (Modern UI) until a patch is available. Restrict access to the contact list to minimize the risk of exploitation. Proper sanitization and escaping of input fields are necessary to mitigate this vulnerability.