vulnerability

Zimbra Collaboration: CVE-2020-11737: Persistent Cross-Site Scripting (XSS) vulnerability.

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	May 5, 2020	Jan 10, 2025	Jul 2, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

May 5, 2020

Added

Jan 10, 2025

Modified

Jul 2, 2025

Description

A cross-site scripting (xss) vulnerability in web client in zimbra 9.0 allows a remote attacker to craft links in an e-mail message or calendar invite to execute arbitrary javascript. the attack requires an a element containing an href attribute with a "www" substring (including the quotes) followed immediately by a dom event listener such as onmouseover. this is fixed in 9.0.0 patch 2.

Solution

zimbra-collaboration-upgrade-latest

References

CWE-79
CVE-2020-11737
https://attackerkb.com/topics/CVE-2020-11737
URL-https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/
URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2
URL-https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today