CVE-2024-45510

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Zimbra Collaboration (ZCS) Webmail Modern UI through version 10.0. Improper sanitization of user input in specific fields of an email message allows an attacker to inject malicious code. When the victim adds the attacker to their contacts, the malicious payload is stored and executed upon viewing the contact list. Affected versions include ZCS 10.0.x and earlier.

Exploitation

An attacker sends a specially crafted email to a victim using the Zimbra Webmail Modern UI. The email contains malicious JavaScript in fields that are not properly sanitized. When the victim adds the attacker's email address to their contacts (e.g., via the "Add to Contacts" action), the injected code is stored. Subsequently, when the victim views their contact list, the code executes in the context of the victim's session. No additional user interaction is required beyond adding the contact.

Impact

Successful exploitation allows the attacker to perform unauthorized actions on behalf of the victim, including arbitrary email sending, mailbox data exfiltration, profile picture alteration, and other malicious operations. The attacker gains the same privileges as the victim within the Zimbra Webmail interface, leading to a compromise of confidentiality, integrity, and availability of the victim's mailbox and account.

Mitigation

Zimbra has addressed CVE-2024-45510 in ZCS 10.0.9 and ZCS 9.0.0 Patch 41, both released on September 4, 2024 [3][4]. Users are advised to upgrade to these versions or later. No workarounds are documented in the available references.