CVE-2025-48700

MEDIUM CISA KEV EPSS 75.2%
Published Jun 23, 20251y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Jun 23, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
KEV Listed Apr 20, 2026 2mo ago
KEV Due Apr 23, 2026 69d overdue

Description

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

CISA Known Exploited Overdue 69d
Added
Apr 20, 2026
Due
Apr 23, 2026

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
75.2% percentile
Exploit & Patch Status
Actively Exploited (KEV)
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 94

VendorProductVersionRange
synacorzimbra_collaboration_suite*≥10.0.0  –  <10.0.12
synacorzimbra_collaboration_suite*≥10.1.0  –  <10.1.4
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite8.8.15any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any
synacorzimbra_collaboration_suite9.0.0any

References 4

  • wiki.zimbra.com https://wiki.zimbra.com/wiki/Security_Center
    Release Notes
  • wiki.zimbra.com https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
    Product
  • wiki.zimbra.com https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
    Vendor Advisory
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700
    US Government Resource

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.