Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user.
Published: 2026-03-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that allows arbitrary scripts to run in the victim’s browser, potentially enabling data theft or other unauthorized actions.
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the Zimbra Briefcase feature. The application fails to sanitize particular uploaded file types, letting an attacker embed malicious JavaScript. When a user opens a publicly shared Briefcase file containing that script, the code executes within the user’s browser context, giving the attacker the ability to run arbitrary scripts under the victim’s authority.

Affected Systems

Synacor Zimbra Collaboration Suite versions 10.0 and 10.1 are affected. Any installation that uses the Briefcase feature and shares its contents publicly is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.1 and an EPSS lower than 1 %. It can be exploited by uploading a crafted file to a publicly accessible Briefcase folder. No special permissions on the server are required; the attacker only needs a user account with upload rights. Once the victim opens the file, the attacker’s script runs, potentially exfiltrating data or performing other actions. The flaw is not listed in the KEV catalog, but its straightforward exploit path makes it an attractive target for attackers seeking to compromise user accounts without host‑level privileges.

Generated by OpenCVE AI on April 2, 2026 at 05:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zimbra Collaboration Suite to version 10.1.16 or later.
  • Restrict or revoke public access to Briefcase folders.
  • Limit or disable upload of file types that can contain embedded scripts in Briefcase.
  • Ensure the Briefcase preview engine does not execute user‑provided scripts by applying proper XSS filtering.

Generated by OpenCVE AI on April 2, 2026 at 05:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting in Zimbra Briefcase Enables Malicious Script Execution

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Synacor
Synacor zimbra Collaboration Suite
CPEs cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
Vendors & Products Synacor
Synacor zimbra Collaboration Suite

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Zimbra
Zimbra collaboration
Vendors & Products Zimbra
Zimbra collaboration

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user.
References

Subscriptions

Synacor Zimbra Collaboration Suite
Zimbra Collaboration
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T13:38:46.271Z

Reserved: 2026-03-19T00:00:00.000Z

Link: CVE-2026-33370

cve-icon Vulnrichment

Updated: 2026-03-23T13:38:10.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T14:16:16.127

Modified: 2026-04-01T15:36:22.310

Link: CVE-2026-33370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:40Z

Weaknesses