GBHackers

Zimbra Releases Security Patch for Stored XSS Vulnerability in Classic Web Client


Zimbra has released its Daffodil v10.1.19 patch update, addressing a stored cross-site scripting (XSS) vulnerability in the platform’s Classic Web Client.

The security issue could allow a specially crafted email message to execute malicious JavaScript within the context of a logged-in recipient’s webmail session.

The update, released on July 7, 2026, includes fixes delivered through updated zimbra-patch and zimbra-mbox-webclient-war packages. Zimbra has not published a CVE identifier or CVSS severity score for the vulnerability in its release notes.

Zimbra Releases Security Patch for Stored XSS Vulnerability

Stored XSS flaws are particularly significant in webmail environments because attackers can embed malicious content in messages delivered to target mailboxes.

Unlike reflected XSS attacks, which usually require victims to visit a malicious URL, stored XSS payloads are retained by the affected application and may execute when a user opens or previews the crafted email in the vulnerable interface.

In this case, successful exploitation could enable an attacker to run scripts under the security context of the affected user’s Classic Web Client session.

Depending on browser protections, application controls, and session permissions, such activity could potentially expose mailbox content, perform unauthorized actions through the web interface, or trick users into interacting with malicious prompts.

The patched packages included in the Zimbra Daffodil v10.1.19 release are:

  • zimbra-patch version 10.1.19.1783177840-2
  • zimbra-mbox-webclient-war version 10.1.19.1783175257-1

Zimbra also provided upgrade guidance related to its existing SNMP mitigation. Customers upgrading from a ZCS 10.1.x deployment do not need to take further action if they previously applied the SNMP mitigation.

Zimbra confirmed that this mitigation remains effective after the system is upgraded to version 10.1.19. Organizations migrating from ZCS 10.0.x, 9.0.x, or 8.8.15 must update and reapply the SNMP mitigation after upgrading to ZCS 10.1.19.

Zimbra instructs affected administrators to follow the revised mitigation steps included in its Security Advisory after the upgrade is complete. Customers requiring deployment assistance or clarification can raise a Support ticket with Zimbra.

Security teams should prioritize the Daffodil 10.1.19 update, especially where the Classic Web Client is enabled and accessible to users. Administrators should also review webmail access logs for unusual mailbox behavior, unexpected session activity, or suspicious requests that may indicate attempted client-side exploitation.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link