zimbraxssemail-securitycvepatch

Critical XSS Flaw in Zimbra Classic Web Client Enables Arbitrary Code Execution

Zimbra's Classic Web Client suffers a critical stored XSS vulnerability that lets crafted emails run malicious code, risking mailbox data and session hijacking. Update to version 10.1.19 now.

Diego Diaz
8 min

What Happened

Zimbra announced a critical stored cross‑site scripting (XSS) vulnerability in its Classic Web Client that allows specially crafted emails to execute arbitrary JavaScript in a user’s browser. The flaw can expose mailbox contents, session data, and account settings if an email is opened. The issue has not yet been assigned a CVE identifier, but Zimbra confirmed that the vulnerability enables arbitrary code execution The Hacker News.

Technical Analysis

The XSS flaw resides in the Classic Web Client’s handling of email bodies. When an email contains malicious script tags, the client fails to properly sanitize or escape the input, storing the payload in the server‑side database. Upon retrieval, the script runs in the context of the logged‑in user’s session, granting access to cookies and session tokens. The vulnerability was discovered by Google’s Threat Analysis Group and reported to Zimbra, which subsequently released version 10.1.19 to remediate the issue BleepingComputer and SC Media.

Who’s Affected

The flaw impacts all deployments of Zimbra Collaboration Suite that still use the Classic Web Client, which is common in large enterprises and government agencies due to its lower resource consumption. Zimbra estimates millions of installations worldwide, with a significant portion of the user base relying on the Classic UI for email access. Because the vulnerability is stored, any organization that receives a malicious email can become compromised without user interaction beyond opening the message.

How to Protect Yourself

  • Immediately upgrade to Zimbra Collaboration Suite version 10.1.19, which includes the XSS fix.
  • If you cannot upgrade immediately, disable the Classic Web Client and force users to the modern UI to mitigate the attack surface.
  • Apply strict email filtering to block suspicious attachments and HTML content containing script tags.
  • Enforce multi‑factor authentication (MFA) for all mailbox logins to limit the impact of stolen session tokens.
  • Monitor server logs for unusual JavaScript execution patterns or unexpected outbound requests from the web client.

The Sable Angle

At Sable we routinely audit email collaboration platforms for hidden attack vectors. Our research team has built automated detection scripts that surface stored XSS payloads across large mailboxes, helping clients pre‑emptively identify vulnerable messages before they reach end users. Learn more about our offensive security services on the Research page and see how we helped secure similar high‑profile email systems in the past.

References

The Hacker News – Critical Zimbra Flaw
BleepingComputer – Zimbra XSS Patch
SC Media – Zimbra XSS Advisory