An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A reflected Cross-Site Scripting (XSS) issue exists through the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing to a shared folder containing a malicious file uploaded by the attacker. The vulnerability allows the attacker to execute arbitrary JavaScript in the context of the victim's session.
References
| Link | Resource |
|---|---|
| https://wiki.zimbra.com/wiki/Security_Center | Vendor Advisory |
| https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes | Release Notes |
| https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes | Release Notes |
| https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy | Product |
Configurations
Configuration 1 (hide)
|
History
11 Jun 2025, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Synacor zimbra Collaboration Suite
Synacor |
|
| CPE | cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:* cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:*:*:*:*:*:*:* |
|
| References | () https://wiki.zimbra.com/wiki/Security_Center - Vendor Advisory | |
| References | () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes - Release Notes | |
| References | () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes - Release Notes | |
| References | () https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy - Product |
Information
Published : 2024-11-20 19:15
Updated : 2025-06-11 21:16
NVD link : CVE-2024-45511
Mitre link : CVE-2024-45511
CVE.ORG link : CVE-2024-45511
JSON object : View
Products Affected
synacor
- zimbra_collaboration_suite
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')