ZIMBRA has released version 10.1.19 to address a critical stored XSS vulnerability in its Classic Web Client, which allows malicious emails to execute harmful code when opened. This vulnerability can lead to unauthorized access to mailbox information, session data, and account settings. Although there is currently no evidence of exploitation, organizations are urged to update promptly to mitigate risks. The issue was discovered by Google’s Threat Analysis Group. The U.S.
Cybersecurity and Infrastructure Security Agency (CISA) has noted several Zimbra vulnerabilities in its Known Exploited Vulnerabilities catalog, some of which have been exploited by APT groups in targeted attacks.