Zimbra: Zimbra Releases Security Patch for Stored XSS Vulnerability in Classic Web Client

Zimbra: Zimbra Releases Security Patch for Stored XSS Vulnerability in Classic Web Client

Zimbra Patches Stored XSS Vulnerability in Classic Web Client

Zimbra released Daffodil v10.1.19 on July 7, 2026, addressing a stored cross-site scripting (XSS) vulnerability in its Classic Web Client. The flaw could allow attackers to embed malicious JavaScript in crafted emails, executing code within a logged-in user’s session when the message is opened or previewed.

Unlike reflected XSS attacks, which require user interaction with a malicious link, stored XSS payloads persist within the application, increasing the risk of exploitation. Successful attacks could expose mailbox content, perform unauthorized actions via the web interface, or manipulate users into interacting with malicious prompts.

The patch includes updated packages:

  • zimbra-patch v10.1.19.1783177840-2
  • zimbra-mbox-webclient-war v10.1.19.1783175257-1

Zimbra did not assign a CVE identifier or CVSS score to the vulnerability. Organizations upgrading from ZCS 10.1.x with prior SNMP mitigation applied do not need additional steps. However, those migrating from ZCS 10.0.x, 9.0.x, or 8.8.15 must reapply the mitigation after upgrading.

Administrators are advised to prioritize the update, particularly where the Classic Web Client remains in use, and monitor access logs for signs of exploitation. Support is available via Zimbra’s ticketing system for deployment assistance.

Source: https://gbhackers.com/zimbra-releases-security-patch-stored-xss/

Zimbra TPRM report: https://www.rankiteo.com/company/zimbra

"id": "zim1783765567",
"linkid": "zimbra",
"type": "Vulnerability",
"date": "7/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'customers_affected': 'Organizations using Zimbra '
                                              'Classic Web Client',
                        'industry': 'Email and Collaboration Software',
                        'name': 'Zimbra',
                        'type': 'Software Provider'}],
 'attack_vector': 'Malicious JavaScript embedded in crafted emails',
 'customer_advisories': 'Support is available via Zimbra’s ticketing system '
                        'for deployment assistance.',
 'data_breach': {'type_of_data_compromised': 'Mailbox content'},
 'date_publicly_disclosed': '2026-07-07',
 'date_resolved': '2026-07-07',
 'description': 'Zimbra released Daffodil v10.1.19 on July 7, 2026, addressing '
                'a stored cross-site scripting (XSS) vulnerability in its '
                'Classic Web Client. The flaw could allow attackers to embed '
                'malicious JavaScript in crafted emails, executing code within '
                'a logged-in user’s session when the message is opened or '
                'previewed. Successful attacks could expose mailbox content, '
                'perform unauthorized actions via the web interface, or '
                'manipulate users into interacting with malicious prompts.',
 'impact': {'data_compromised': 'Mailbox content',
            'operational_impact': 'Unauthorized actions via web interface, '
                                  'user manipulation',
            'systems_affected': 'Zimbra Classic Web Client'},
 'post_incident_analysis': {'corrective_actions': 'Patch release and advisory '
                                                  'to monitor logs',
                            'root_causes': 'Stored XSS vulnerability in '
                                           'Classic Web Client'},
 'recommendations': 'Administrators should prioritize the update, particularly '
                    'where the Classic Web Client remains in use, and monitor '
                    'access logs for signs of exploitation.',
 'references': [{'source': 'Zimbra Advisory'}],
 'response': {'communication_strategy': 'Advisory to administrators to '
                                        'prioritize updates and monitor access '
                                        'logs',
              'containment_measures': 'Patch release (Daffodil v10.1.19)',
              'enhanced_monitoring': 'Monitor access logs for signs of '
                                     'exploitation',
              'remediation_measures': 'Updated packages: zimbra-patch '
                                      'v10.1.19.1783177840-2, '
                                      'zimbra-mbox-webclient-war '
                                      'v10.1.19.1783175257-1'},
 'title': 'Zimbra Patches Stored XSS Vulnerability in Classic Web Client',
 'type': 'Stored Cross-Site Scripting (XSS)',
 'vulnerability_exploited': 'Stored XSS in Zimbra Classic Web Client'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.