
A zero‑click cross‑site scripting flaw in Zimbra’s Classic Web Client lets attackers seize control of accounts merely by delivering a malicious email, a risk that was patched with the release of version 10.1.19 on 7 July.
The vulnerability is a stored XSS issue that triggers when a user opens a compromised message, executing arbitrary JavaScript without any further interaction and enabling the theft of session tokens, mailbox contents and configuration settings.
Discovered by Google’s Threat Analysis Group, the flaw does not yet have a CVE identifier but was addressed in the advisory posted on the Zimbra blog here, which urges immediate upgrade to the latest build.
Although no active exploitation has been observed, the U.S. Cybersecurity and Infrastructure Security Agency has previously listed several Zimbra weaknesses in its Known Exploited Vulnerabilities catalogue, noting that some have been leveraged by APT groups in targeted campaigns.
Defenders should prioritise updating to Zimbra 10.1.19 across all servers, review mail gateway logs for unexpected script payloads and consider temporarily disabling the Classic Web Client for users who can work with the modern interface until the upgrade is verified.
Organisations are also advised to test the patch in a staging environment, reinforce phishing awareness training and maintain multi‑factor authentication to reduce the impact of any future zero‑click attempts.