Zimbra Collaboration Suite Cross-Site Scripting (XSS) Zero-day Vulnerability

There is a critical severity vulnerability affecting the Zimbra Collaboration Suite. The cross-site scripting vulnerability allows an attacker to impact the confidentiality and integrity of the user’s data.

Zimbra has mentioned in the security update that “The fix is planned to be delivered in the July patch release.”

Zimbra Collaboration Suite is a widely deployed web client and email server that provides complete email, address book, calendar, and task solutions. All the apps are available on Zimbra Web Client, Zimbra Desktop offline client, Outlook, and various other email clients and mobile devices. Over 200,000 businesses in 140 countries currently use this email and collaboration platform.

Affected versions

The vulnerability affects the Zimbra Collaboration Suite Version 8.8.15.


Zimbra has released a manual fix for this vulnerability. For more information, please refer to the Zimbra security update.

Following are the steps that need to be applied to fix manually on all mailbox nodes:

  1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto.
  2. Edit this file and go to line number 40.
  3. Update the parameter value as mentioned below:
    <input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/>
  1. Before the update, the line appeared like
    <input name= “st” type= “hidden” value=” ${param.st}”/>

After the update, the line should appear like this:
<input name=”st” type=”hidden” value=”${fn:escapeXml(param.st)}”/>

Note: Zimbra service restart is not required, so that you can do it without downtime.

Qualys Detection

Qualys customers can scan their devices with QID 378668 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.


Leave a Reply

Your email address will not be published. Required fields are marked *