CVE-2025-48700

high-risk

Published 2025-06-23

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Zimbra Collaboration Suite

Affected Vendors

Synacor

References (3)

Release Notes https://wiki.zimbra.com/wiki/Security_Center

Product https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Vendor Advisory https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

/ 100

high-risk

Severity 23/34 · High

Exploitability 0/34 · Minimal

Exposure 30/34 · Critical