CVE-2024-33536

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration Suite (ZCS) versions 9.0 through 10.0

Description: The issue is related to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. This can be achieved by uploading a malicious JavaScript file and crafting a URL containing its location in the res parameter. When another user visits the crafted URL, the malicious JavaScript code is executed.

Recommendations: For Zimbra Collaboration Suite (ZCS) versions 9.0 through 10.0, consider disabling the ability to upload and execute JavaScript files until a patch is available. Restrict access to the res parameter to minimize the risk of exploitation. Avoid using the res parameter in URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.