Critical Zimbra Flaw Lets Crafted Emails Execute Code in User Sessions
Zimbra has released version 10.1.19 to patch a critical stored cross-site scripting vulnerability in its Classic Web Client. The flaw allows attackers to execute malicious JavaScript when users open specially crafted emails, potentially compromising mailbox data and session credentials. While no active exploitation has been confirmed, Zimbra XSS flaws have been repeatedly targeted by threat actors in recent years.
Critical Zimbra Flaw Lets Crafted Emails Execute Code in User Sessions Zimbra is sounding the alarm on a nasty vulnerability that could turn a simple email into a weapon. The company just pushed out version 10.1.19 of its Collaboration Suite to plug a critical security hole in the Classic Web Client---one that lets attackers run arbitrary code just by getting you to open a malicious message. No CVE number has been assigned yet, but don't let that fool you. This is the real deal. ## What's Actually Happening Here? The vulnerability is a stored cross-site scripting (XSS) flaw. In plain English: an attacker sends a specially crafted email that gets stored on the Zimbra server. When you (or anyone else) opens that email in the Classic Web Client, the malicious JavaScript embedded in it executes in your browser session. Think of it like a letter that, when opened, doesn't just show you words---it secretly installs a keylogger on your desk. Except it's all happening in your browser, and the
Topics
Related Articles
Palworld 1.0 Hits Full Release Alongside a Wave of Fresh Indie Gems
Palworld exits early access after two and a half years with a massive 1.0 update, while cozy life sim Tiny Bookshop arrives on mobile. Also covered: a 2000s forum moderator sim, a cat post office game, a backyard baseball revival, and several upcoming indie titles worth watching.
GameStop's Pokémon Card Markups Hit 400%: When the Retailer Becomes the Scalper
GameStop is charging 200-400% over MSRP for Pokémon TCG products, including the upcoming 30th Anniversary set. Elite Trainer Boxes retail for $55 but sell at $170 in-store, while Ultra-Premium Collections hit $600 versus an expected $120. Nintendo acknowledges the scalping crisis and may restrict supply to price-gouging retailers.
Samsung Gallery Loses OneDrive Sync This September
Samsung and Microsoft are ending their Gallery-to-OneDrive sync integration on September 30, 2026. Photos will no longer appear in the Gallery app, though users can still back up media via the standalone OneDrive app. Alternatives include Google Photos, Dropbox, and self-hosted options like Immich.