CVE-2024-45510

moderate-risk

Published 2024-11-20

An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list. This can lead to unauthorized actions such as arbitrary mail sending, mailbox exfiltration, profile picture alteration, and other malicious actions. Proper sanitization and escaping of input fields are necessary to mitigate this vulnerability.

Do I need to act?

0.48% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Zimbra Collaboration Suite

Affected Vendors

Synacor

References (5)

Vendor Advisory https://wiki.zimbra.com/wiki/Security_Center

Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes

Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes

Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes

Product https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 2/34 · Minimal

Exposure 25/34 · High