cbcvebase.
CVE-2025-48700
published 2025-06-23

CVE-2025-48700: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-23
Exploited in the wild
EPSS
1.76%
75.2th percentile
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

Affected

4 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite>= 10.0.0 < 10.0.1210.0.12
synacorzimbra_collaboration_suite>= 10.1.0 < 10.1.410.1.4

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered when a user views a crafted e-mail message in the Classic UI — monitor for XSS payloads in email bodies rendered by Zimbra Classic UI, particularly those containing @import directives or crafted tag/attribute structures
  • No user interaction beyond viewing the email is required; detection should focus on anomalous JavaScript execution or session hijacking events originating from Zimbra webmail sessions
  • ·Vendor security advisory and patch details are located at the Zimbra Security Advisories wiki; reference this for precise patch version numbers before deploying mitigations

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.