CVE-2025-27914

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration (ZCS) versions 9.0 through 10.1

Description: A Reflected Cross-Site Scripting (XSS) issue exists, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. The issue is related to the "/h/rest" endpoint and involves a crafted URL with manipulated query parameters. Exploitation requires a valid auth token.

Recommendations: For Zimbra Collaboration (ZCS) versions 9.0 through 10.1, consider restricting access to the "/h/rest" endpoint until a patch is available. As a temporary workaround, avoid using manipulated query parameters in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.