vulnerability

Zimbra Collaboration: CVE-2020-11737: Persistent Cross-Site Scripting (XSS) vulnerability.

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	2020-05-05	2025-01-10	2025-03-18

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

2020-05-05

Added

2025-01-10

Modified

2025-03-18

Description

A cross-site scripting (xss) vulnerability in web client in zimbra 9.0 allows a remote attacker to craft links in an e-mail message or calendar invite to execute arbitrary javascript. the attack requires an a element containing an href attribute with a "www" substring (including the quotes) followed immediately by a dom event listener such as onmouseover. this is fixed in 9.0.0 patch 2.

Solution

zimbra-collaboration-upgrade-latest

References

CVE-2020-11737
https://attackerkb.com/topics/CVE-2020-11737
URL-https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
URL-https://blog.zimbra.com/2020/05/new-zimbra-9-kepler-patch-2/
URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today