Exploits

Zimbra Classic Web Client XSS Flaw Allows Code Execution

Published  ·  4 min read

A security patch for the Zimbra Classic Web Client has been issued due to an important stored XSS vulnerability that could potentially execute malicious code through a specially crafted email. There is no CVE assigned to this vulnerability at the moment.

The vulnerability is a stored XSS attack. In other words, the injected code is saved on the server and will execute itself every time someone accesses that particular web page. As a result, the injected code may compromise mailbox info, sessions, and settings.

The Risk of Stored XSS

The cross-site scripting vulnerability is a situation where malicious code is injected into a system by an attacker. The malicious code is used by the attacker to execute any JavaScript in the victim’s browser, hence stealing cookies, account hijacking, and exposure of credentials.

The stored cross-site scripting vulnerability is the most dangerous of all as the malicious code is stored permanently in the server itself. This type of cross-site scripting differs from reflected cross-site scripting in that, with the former, there is no need for a victim to click a link.

In Zimbra's case, a simple email with embedded malicious code could be delivered to a target. As soon as the recipient opens that email in the Classic Web Client, the script runs. Further interaction is not needed.

What An Attacker Can Do

In case the attacker makes use of the above-discussed stored cross-site scripting vulnerability in Zimbra Classic Web Client, they would obtain immediate access to sensitive information in the affected account. This may include mailbox, session token, and account preferences.

By hijacking the session, the attacker will be able to perform any action on behalf of the user. This means that the attacker will be able to read emails, send emails, configure the account settings, and access any file hosted by the Zimbra service.

Zimbra XSS Exploitation History

Zimbra has been targeted quite often by hackers. Back in late 2021, there was evidence that malicious individuals were using XSS vulnerabilities in Zimbra. Recently, multiple XSS vulnerabilities have been discovered and exploited.

CVE-2023-37580 and CVE-2024-27443 were both exploited by threat actors. In October 2024, CVE-2025-27915 was alleged to have been used as a zero-day in attacks targeting the Brazilian military. Zimbra stated that it found no evidence to confirm that particular exploit, but the pattern of attacks is clear.

Attacks against Zimbra will be sustained because of its popularity within business and government networks. E-mail applications are still one of the most common attack surfaces. Cross-Site Scripting vulnerabilities offer a convenient way of compromising the system without an exploit.

The Fix

There has been no statement from Zimbra regarding any exploitation of this vulnerability. But considering the track record of the company and the fact that it is a stored XSS flaw, postponing the update is not wise.

The fix has been made in version 10.1.19 of Zimbra Collaboration Suite. This update is needed by the users at the earliest possible time.

For those who have to postpone the update process, there is an alternative. Monitoring of emails and other suspicious activities may be required along with the use of web application firewalls.

The Bottom Line

Zimbra Classic Web Client stored XSS is a serious vulnerability that requires immediate action. A single email can deliver a persistent payload that compromises an entire account. The flaw has no CVE yet, but the risk is clear.

Update to Zimbra Collaboration Suite 10.1.19. Monitor for suspicious account activity. And treat every email as a potential attack vector.

FAQ Section

What is Zimbra Classic Web Client XSS Vulnerability?

It is a cross-site scripting problem that lets certain emails trigger malicious JavaScript code when loaded using the Classic Web Client.

What can an attacker do with such vulnerability?

They can access mailbox details, session data, and other information related to accounts. They can hijack user sessions and also be able to send and receive emails.

Is this vulnerability being actively exploited in the wild?

Active exploitation has not yet been confirmed by Zimbra. But Zimbra has had XSS vulnerabilities exploited in the past.

Which version(s) are impacted?

This vulnerability impacts certain versions of the Classic Web Client. The vulnerability is fixed in Zimbra 10.1.19 version of Zimbra Collaboration Suite.

What should I do?

It is best to upgrade to Zimbra Collaboration Suite 10.1.19 as soon as you can. You need to be wary of any suspicious activities related to your account.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067