Vulnerability Description
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Synacor | Zimbra Collaboration Suite | >= 10.0.0, < 10.0.12 |
Related Weaknesses (CWE)
References
- https://wiki.zimbra.com/wiki/Security_CenterVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_FixesRelease Notes
- https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
- https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
FAQ
What is CVE-2024-45516?
CVE-2024-45516 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the ...
How severe is CVE-2024-45516?
CVE-2024-45516 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-45516?
Check the references section above for vendor advisories and patch information. Affected products include: Synacor Zimbra Collaboration Suite.