← Voltar para CVEs
CVE-2025-48700
MEDIUMCISA KEV6.1
Descricao
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.
Detalhes CVE
Pontuacao CVSS v3.16.1
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioREQUIRED
Publicado6/23/2025
Ultima modificacao4/21/2026
Fontenvd
Avistamentos honeypot0
CISA KEV
FornecedorSynacor
ProdutoZimbra Collaboration Suite (ZCS)
Nome da vulnerabilidadeSynacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Data inclusao KEV2026-04-20
Prazo de remediacao2026-04-23
Uso em ransomwareUnknown
Produtos afetados
synacor:zimbra_collaboration_suite
Fraquezas (CWE)
CWE-79
Referencias
https://wiki.zimbra.com/wiki/Security_Center(cve@mitre.org)
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories(cve@mitre.org)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.