CVE-2024-45194 - Vulnerability Details

In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Synacor	Zimbra Collaboration Suite

Configuration 1 [-]

OR	cpe:2.3:a:synacor:zimbra_collaboration_suite::::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9::::::
	cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:::::::*

No data.

References

Link	Providers
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

History

Wed, 11 Jun 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Synacor Synacor zimbra Collaboration Suite
CPEs		cpe:2.3:a:synacor:zimbra_collaboration_suite:::::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:::::::* cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p26:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p27:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p28:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p29:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p30:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p31:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p32:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p33:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p34:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p35:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p36:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p37:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p38:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p39:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p3:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p40:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p4:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p5:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p6:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p7:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p8:::::: cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p9::::::
Vendors & Products		Synacor Synacor zimbra Collaboration Suite

Thu, 21 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 21 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
Description		In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.)
References		https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-11-21T00:00:00

Updated: 2024-11-21T18:03:06.608Z

Reserved: 2024-08-22T00:00:00

Link: CVE-2024-45194

Vulnrichment

Updated: 2024-11-21T18:02:41.422Z

NVD

Status : Analyzed

Published: 2024-11-21T17:15:15.440

Modified: 2025-06-11T15:40:45.710

Link: CVE-2024-45194

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object