Critical Stored XSS Flaw in Zimbra Classic Web Client Could Expose Mailboxes
What Happened — Zimbra released version 10.1.19 to patch a critical stored cross‑site scripting (XSS) vulnerability in its Classic Web Client. The flaw allows a malicious email to execute JavaScript in the victim’s browser when opened, potentially exposing mailbox contents, session tokens, and account settings. No CVE ID has been assigned yet, and there is no public evidence of active exploitation.
Why It Matters for Compliance & Audit Readiness
- The scenario maps directly to SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations) controls that require protection against client‑side code injection and continuous monitoring of software patches.
- Demonstrating timely remediation (patching to 10.1.19) provides audit‑ready evidence of a robust vulnerability‑management process.
- Leveraging Verisq’s Control Mapping capability helps you align this patch‑event to your SOC 2 control matrix and generate continuous evidence for auditors.
Who Is Affected — Organizations that run Zimbra Collaboration Suite (ZCS) Classic Web Client, spanning SaaS providers, education institutions, government agencies, and any enterprise relying on on‑prem or hosted email services.
Recommended Actions
- Verify your ZCS version; upgrade immediately to 10.1.19 or later.
- Document the patch deployment in your change‑management system and map it to SOC 2 CC6.1/CC7.1 controls.
- Enable web‑application firewalls or content‑security policies to mitigate XSS while patches are applied.
- Incorporate the patch event into your continuous compliance dashboard for audit evidence.
Technical Notes — The vulnerability is a stored XSS in the Classic UI that triggers when a specially crafted email is opened. Exploitation can harvest credentials, session tokens, 2FA codes, and up to 90 days of mailbox data. Google’s Threat Analysis Group discovered the issue; related CVEs (e.g., CVE‑2025‑66376) have been previously exploited by APT28 in phishing campaigns. Source: SecurityAffairs