Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Synacor Zimbra_Collaboration_Suite
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
|
10.0.0
|
10.0.18
|
|
Synacor Zimbra_Collaboration_Suite
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
|
10.1.0
|
10.1.13
|
References 6
https://wiki.zimbra.com/wiki/Security_Center
cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes
cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes
cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025…
134c704f-9b21-4f2e-91b3-4a467353bcc0