Overview
- Zimbra released ZCS version 10.1.19 on Tuesday to fix a stored cross-site scripting flaw in its Classic Web Client and urged all Classic UI users to upgrade immediately.
- The bug allows specially crafted HTML emails to execute JavaScript when opened, which can expose mailbox contents, session tokens, account settings, and other sensitive data.
- Google's Threat Analysis Group reported the vulnerability to Zimbra and the vendor issued the patch before any public evidence of active exploitation appeared.
- Security teams warn that past XSS attacks against Zimbra have let attackers harvest credentials, two-factor codes, and months of mail and then exfiltrate data, making rapid patching important for at-risk organizations.
- Administrators should install 10.1.19, monitor logs and account activity for suspicious access, and consider disabling or restricting the Classic UI where upgrades cannot be applied quickly.