Cross-Site Scripting Vulnerability in Zimbra Collaboration by Zimbra
CVE-2025-48700

Currently unrated

Key Information:

Vendor: Zimbra
Status: Zimbra Collaboration Suite (ZCS)
Vendor: CVE Published:; 23 June 2025

What is CVE-2025-48700?

A Cross-Site Scripting vulnerability has been identified in various versions of Zimbra Collaboration Suite (ZCS), allowing attackers to inject arbitrary JavaScript through insufficiently sanitized HTML content. This flaw is particularly concerning as it can be exploited when users open specially crafted email messages in the Classic UI, enabling potential unauthorized access to sensitive data without any requirement for additional user interaction. Mitigating this risk requires promptly updating to the latest product versions and employing security best practices.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2025
Vulnerability Reserved
May 23, 2025