Industry News

Critical Zimbra Flaw Lets Crafted Emails Execute Code in User Sessions

Zimbra has released version 10.1.19 to patch a critical stored cross-site scripting vulnerability in its Classic Web Client. The flaw allows attackers to execute malicious JavaScript when users open specially crafted emails, potentially compromising mailbox data and session credentials. While no active exploitation has been confirmed, Zimbra XSS flaws have been repeatedly targeted by threat actors in recent years.

T
The Hacker News
~1 min read

Critical Zimbra Flaw Lets Crafted Emails Execute Code in User Sessions Zimbra is sounding the alarm on a nasty vulnerability that could turn a simple email into a weapon. The company just pushed out version 10.1.19 of its Collaboration Suite to plug a critical security hole in the Classic Web Client---one that lets attackers run arbitrary code just by getting you to open a malicious message. No CVE number has been assigned yet, but don't let that fool you. This is the real deal. ## What's Actually Happening Here? The vulnerability is a stored cross-site scripting (XSS) flaw. In plain English: an attacker sends a specially crafted email that gets stored on the Zimbra server. When you (or anyone else) opens that email in the Classic Web Client, the malicious JavaScript embedded in it executes in your browser session. Think of it like a letter that, when opened, doesn't just show you words---it secretly installs a keylogger on your desk. Except it's all happening in your browser, and the

Share this article