Zimbra is urging prospects to use updates to deal with a crucial safety vulnerability impacting the Basic Internet Shopper that might end in arbitrary code execution.
The vulnerability has been described as a case of saved cross-site scripting (XSS) that might permit specifically crafted emails to execute malicious scripts in a person’s session. It has but to be assigned a CVE identifier.
“The replace fixes a safety difficulty within the Basic Internet Shopper the place a specifically crafted e mail might run malicious code when the e-mail is opened,” Zimbra stated. “If exploited, it might permit entry to mailbox data, session information, or account settings.”
XSS vulnerabilities happen when an software contains untrusted information in an internet web page with out correct validation or escaping. This permits attackers to inject and execute malicious JavaScript in victims’ browsers, which may end up in session hijacking, credential theft, and account compromise.
Saved XSS, or persistent XSS, is a sort of XSS flaw the place the injected script is completely saved on the goal servers in a database within the type of a seemingly innocent remark or a discussion board put up, inflicting any website customer to be compromised as quickly because the web page containing the JavaScript is loaded on their internet browser.
Though Zimbra makes no point out of the vulnerability being exploited within the wild, XSS flaws in Zimbra have been an assault magnet for years, with unhealthy actors trying to weaponize such vulnerabilities way back to December 2021.
Final October, a saved XSS flaw within the Basic Internet Shopper (CVE-2025-27915, CVSS Rating: 5.4) was alleged to have been exploited as a zero-day in assaults concentrating on the Brazilian navy, though Zimbra instructed The Hacker Information on the time that it discovered no proof to again it up.
Different XSS flaws which were exploited by menace actors embody CVE-2023-37580 and CVE-2024-27443. Given its excessive potential for abuse, customers are beneficial to replace to Zimbra Collaboration Suite model 10.1.19 for optimum safety.









