Actively exploited in the wild
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor — Zimbra Collaboration Suite (ZCS) · Listed in the CISA KEV since 2023-07-27. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2023-37580
MediumCVSS 6.1KEVExploitation Probability (EPSS)
Very high risk99th percentile — higher than 99% of all known CVEs
Summary
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
Risk Assessment
An attacker can exploit this vulnerability to inject malicious scripts, potentially leading to user data theft or session hijacking.
Recommendation
It is recommended to update Zimbra to version 8.8.15 Patch 41 or later to mitigate this vulnerability.
Original NVD description (English source)
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.

