CVE-2024-45517

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration (ZCS) versions through 10.1

Description: A Cross-Site Scripting (XSS) issue in the "/h/rest" endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This is caused by improper sanitization of user input, potentially compromising sensitive information. Exploitation requires user interaction to access the malicious URL.

Recommendations: For versions through 10.1, update to Zimbra Daffodil (v10.1.1) or later to fix the Cross-Site Scripting (XSS) vulnerability in the "/h/rest" endpoint. As a temporary workaround, consider restricting access to the "/h/rest" endpoint until a patch is available.