A critical stored XSS vulnerability in Zimbra's Classic Web Client has been addressed with the release of version 10.1.19. This flaw allows malicious emails to execute code when opened, potentially granting attackers access to sensitive mailbox information, session data, and account settings. The vulnerability can be exploited by sending specially crafted emails that trigger the execution of malicious code within the Classic UI. Although a CVE ID has not been assigned to this vulnerability, its impact is significant, as successful exploitation could compromise user data and account security. Zimbra users are advised to update to the latest version to mitigate this risk1. The severity of this vulnerability underscores the importance of prompt patching and highlights the need for organizations to prioritize email client security to prevent potential breaches.
Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes
⚠️ Critical Alert
Why This Matters
Successful exploitation could allow attackers to access to mailbox information, session data, or account settings.
References
- SecurityAffairs. (2026, July 10). Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes. SecurityAffairs. https://securityaffairs.com/195130/hacking/update-now-critical-zimbra-classic-web-client-flaw-could-expose-mailboxes.html
Original Source
SecurityAffairs
Read original →