Zimbra has released an update, Zimbra Collaboration Suite 10.1.19, that fixes a stored XSS vulnerability in the Classic Web Client component. A specially crafted email allows an attacker to execute malicious JavaScript code in the context of the user’s session when the message is opened. Successful exploitation may lead to access to mailbox contents, session data, and account settings. All organizations using Zimbra with the Classic Web Client are strongly advised to upgrade to version 10.1.19 without delay.
Technical details of the vulnerability
According to the official Zimbra blog, the vulnerability is caused by insufficient validation and escaping of input data when processing email content in the Classic Web Client. An attacker can inject a malicious script into the body of an email, which is stored on the server and executed every time the victim opens that message.
Key characteristics of the vulnerability:
- Type: Stored (persistent) XSS — the malicious code is stored on the server
- Attack vector: specially crafted email message
- Affected component: Zimbra Classic Web Client
- CVE identifier: not assigned at the time of publication
- Exploitation status: unknown — the vendor does not report active exploitation
- Fix: Zimbra Collaboration Suite 10.1.19
It is important to clarify the context: stored XSS results in script execution in the user’s browser, not arbitrary code execution at the operating system level on the server or workstation. Nevertheless, the consequences can be severe — session hijacking, credential theft, and full compromise of the email account. Details about the fix are available in the release notes for 10.1.19.
Historical context: XSS as a systemic Zimbra issue
Stored XSS vulnerabilities in Zimbra are not isolated incidents but a persistent pattern. The Classic Web Client has repeatedly served as an attack vector:
- CVE-2025-27915 (CVSS: 5.4) — a similar stored XSS vulnerability in the Classic Web Client, information about which is available in the NVD database. There were reports that it was allegedly exploited as a zero-day vulnerability in attacks on Brazilian military entities, but Zimbra stated that no corroborating evidence was found.
- CVE-2023-37580 and CVE-2024-27443 — XSS vulnerabilities that, according to available data, were exploited by attackers in real-world attacks.
The recurrence of similar vulnerabilities in the same component points to architectural limitations of the Classic Web Client in handling untrusted content. For attackers, email-based XSS vulnerabilities are particularly attractive: the delivery vector is a regular email, and exploitation requires no action from the victim beyond opening the message.
Impact assessment
Zimbra Collaboration Suite is widely used by government agencies, educational institutions, and mid-sized businesses around the world. Stored XSS via email is especially dangerous for several reasons:
- No user interaction: the victim only needs to open the email — no need to follow links or download attachments
- Scalability: a single malicious email can be sent to many users within an organization
- Persistence: the malicious script is stored on the server and triggers on every view of the email
- Attack chaining: taking over an administrator’s session can lead to compromise of the entire mail infrastructure
Recommendations
- Update Zimbra Collaboration Suite to version 10.1.19 — this is the primary measure to remediate the vulnerability.
- Consider migrating from the Classic Web Client to the modern Zimbra web client. The Classic Web Client repeatedly proves to be a vulnerable component, and retiring it reduces the attack surface.
- Review access logs for signs of anomalous activity in user sessions — in particular, bulk access to address books, forwarding of emails to external addresses, or changes to account settings.
- Implement a Content Security Policy (CSP) at the web server level, if not already in place, to restrict execution of inline scripts.
- Update priority: high. Although there is no confirmed exploitation at this time, Zimbra’s history shows that XSS vulnerabilities in this product quickly attract the attention of attackers.
Given the ongoing history of XSS exploitation in Zimbra and the trivial nature of the email-based attack vector, postponing deployment of the 10.1.19 patch is inadvisable. Organizations that continue to use the Classic Web Client should simultaneously evaluate migration to the modern interface — this is the most effective way to eliminate an entire class of recurring vulnerabilities.