CVE-2024-45511

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration (ZCS) versions through 10.1

Description A reflected Cross-Site Scripting (XSS) issue exists in the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing to a shared folder containing a malicious file uploaded by the attacker, allowing the attacker to execute arbitrary JavaScript in the context of the victim's session.

Recommendations For versions through 10.1, consider updating to Zimbra Daffodil (v10.1.1) or later, which includes a patch for the reflected XSS vulnerability in the Briefcase module. As a temporary workaround, consider disabling the Briefcase module or restricting access to shared folders until a patch is applied. Avoid opening crafted URLs pointing to shared folders containing potentially malicious files.