Zimbra has released ZCS v10.1.19 to fix a critical stored XSS flaw in the Classic Web Client that could let attackers steal session data, account settings, or mailbox information through malicious emails. The issue has not yet been assigned a CVE, and Zimbra urged all Classic Web Client users to upgrade immediately after the flaw was reported by Google’s Threat Analysis Group. #Zimbra #ZCSv10_1_19 #GoogleThreatAnalysisGroup
Keypoints
- Zimbra patched a critical stored XSS vulnerability in the Classic Web Client.
- The flaw can be triggered by specially crafted emails opened by users.
- Successful exploitation may expose session data, account settings, and mailbox content.
- Zimbra advised all Classic Web Client customers to upgrade to ZCS v10.1.19 immediately.
- Google’s Threat Analysis Group reported the issue, highlighting interest from state-backed threat actors.