CVE-2025-66376
CVE-2025-66376
In short
Zimbra Collaboration allows attackers to inject malicious code into email messages through CSS styling tricks. When a victim views the email in the Classic UI, the injected code runs in their browser, potentially stealing data or compromising their account.
Technical detail
Stored XSS vulnerability in Zimbra ZCS 10.x (before 10.0.18 and 10.1.x before 10.1.13) via CSS @import directives in HTML email messages. Attack vector is network-based; an attacker sends a crafted email that executes JavaScript in the context of the recipient's Classic UI session. Impact includes session hijacking, credential theft, and unauthorized actions on behalf of the victim.
Summary generated and translated by AI from the official description.
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected products
Zimbra · CollaborationWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376