🔴 Critical | Source: The Hacker News
A critical stored cross-site scripting (XSS) vulnerability in Zimbra’s Classic Web Client allows attackers to embed malicious scripts inside specially crafted emails, which then execute within the victim’s browser session when the email is viewed. No CVE identifier has been assigned yet, but Zimbra has issued updates and is urging immediate patching. The flaw is particularly dangerous because exploitation requires nothing more than a target opening a malicious email.
Security Architect’s Take: If your organisation runs Zimbra on-premises or in a self-managed cloud environment, apply the vendor’s patch immediately and audit whether the Classic Web Client is exposed to external senders. Consider enforcing Content Security Policy (CSP) headers and restricting HTML email rendering as interim mitigations if patching cannot happen immediately.
Original advisory: Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions