Back

CVE-2024-33533

Aug. 12, 2024, 6:57 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Zimbra Collaboration

  • 9.0
  • 10.0

Source

cve@mitre.org

Tags

cve@mitre.org
2024-08-12
CVE-2024-33533

CVE-2024-33533 details

Published : Aug. 12, 2024, 3:15 p.m.
Last Modified : Aug. 12, 2024, 6:57 p.m.

Description

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file and crafting a URL containing its location in the packages parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description

References

URL Source
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes cve@mitre.org
This website uses the NVD API, but is not approved or certified by it.