Particle.news
Download on the App Store

Zimbra Patches Critical Classic Web Client XSS

Crafted emails can run JavaScript in users' browsers to steal session tokens and mailbox data, prompting an immediate upgrade recommendation.

Overview

  • Zimbra released ZCS version 10.1.19 on Tuesday to fix a stored cross-site scripting flaw in its Classic Web Client and urged all Classic UI users to upgrade immediately.
  • The bug allows specially crafted HTML emails to execute JavaScript when opened, which can expose mailbox contents, session tokens, account settings, and other sensitive data.
  • Google's Threat Analysis Group reported the vulnerability to Zimbra and the vendor issued the patch before any public evidence of active exploitation appeared.
  • Security teams warn that past XSS attacks against Zimbra have let attackers harvest credentials, two-factor codes, and months of mail and then exfiltrate data, making rapid patching important for at-risk organizations.
  • Administrators should install 10.1.19, monitor logs and account activity for suspicious access, and consider disabling or restricting the Classic UI where upgrades cannot be applied quickly.