Zimbra Collaboration 10.0.x < 10.0.13 Stored Cross-Site Scripting

medium Web App Scanning Plugin ID 115005

Language:

Synopsis

Zimbra Collaboration 10.0.x < 10.0.13 Stored Cross-Site Scripting

Description

According to its banner, the version of Zimbra Collaboration running on the remote host is 10.0.x prior to 10.0.13 or 10.1.x prior to 10.1.5. It is, therefore, affected by a Stored Cross-Site Scripting (XSS) vulnerability due to insufficient sanitization of HTML content in ICS files.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Zimbra Collaboration version 10.0.13, 10.1.5 or later.

See Also

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Plugin Details

Severity: Medium

ID: 115005

Type: remote

Family: Component Vulnerability

Published: 10/21/2025

Updated: 10/21/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.7

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2025-27915

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: CVE-2025-27915

Vulnerability Information

CPE: cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/11/2025

CISA Known Exploited Vulnerability Due Dates: 10/28/2025

Reference Information

CVE: CVE-2025-27915

CWE: 79

OWASP: 2010-A2, 2013-A3, 2013-A9, 2017-A7, 2017-A9, 2021-A3, 2021-A6

WASC: Cross-Site Scripting

CAPEC: 209, 588, 591, 592, 63, 85

DISA STIG: APSC-DV-002490, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.3

PCI-DSS: 3.2-6.2, 3.2-6.5.7