Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609.
https://www.exploit-db.com/exploits/45177/
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories