CVE Catalog

Actively exploited in the wild

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor — Zimbra Collaboration Suite (ZCS) · Listed in the CISA KEV since 2025-02-25. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2023-34192

CriticalCVSS 9.0KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
77.27%

100th percentile — higher than 100% of all known CVEs

Summary

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Risk Assessment

An attacker could exploit this vulnerability to gain control over the system or steal user data, posing a significant threat to the organization's security.

Recommendation

It is recommended to update Zimbra ZCS to the latest version to mitigate this vulnerability and conduct a security audit of the application.

Original NVD description (English source)

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS