TROYANOSYVIRUS
Volver a CVEs

CVE-2025-48700

MEDIUMCISA KEV
6.1

Descripcion

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

Detalles CVE

Puntuacion CVSS v3.16.1
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado6/23/2025
Ultima modificacion4/21/2026
Fuentenvd
Avistamientos honeypot0

CISA KEV

VendedorSynacor
ProductoZimbra Collaboration Suite (ZCS)
Nombre vulnerabilidadSynacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Fecha inclusion KEV2026-04-20
Fecha limite remediacion2026-04-23
Uso en ransomwareUnknown

Productos afectados

synacor:zimbra_collaboration_suite

Debilidades (CWE)

CWE-79

Referencias

https://wiki.zimbra.com/wiki/Security_Center(cve@mitre.org)
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy(cve@mitre.org)
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories(cve@mitre.org)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.