CVE-2025-48700

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration (ZCS) version 8.8.15 Zimbra Collaboration (ZCS) version 9.0 Zimbra Collaboration (ZCS) version 10.0 Zimbra Collaboration (ZCS) version 10.1

Description A Cross-Site Scripting (XSS) issue in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within a user session, which can lead to unauthorized access to sensitive information and the theft of session cookies. This occurs due to insufficient sanitization of HTML content, specifically regarding crafted tag structures and attribute values containing the @import directive and other script injection vectors. The issue is triggered when a user views a specially crafted e-mail message in the Classic UI and requires no additional user interaction. This flaw has been exploited in the wild, with over 10,500 unpatched IP addresses reported.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.