CVE-2023-45206: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Zimbra Collaboration (ZCS) versions 8.8.15, 9.0, and 10.0. The vulnerability exists in the help document endpoint in webmail, where an attacker can inject JavaScript or HTML code. This vulnerability was disclosed in February 2024 (NVD, CVE).

The vulnerability is classified as a cross-site scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation. The vulnerability specifically affects the help document endpoint in the webmail interface, allowing potential injection of malicious JavaScript or HTML code (NVD).

If exploited, this vulnerability could allow attackers to inject and execute malicious JavaScript or HTML code through the help document endpoint in webmail. This could potentially lead to unauthorized access to user information or manipulation of the web interface content (Zimbra Security).

The vulnerability has been addressed by making the robohelp package optional and redirecting users to access help documentation at https://www.zimbra.com/documentation/. The fix was implemented in Zimbra Collaboration versions 8.8.15 Patch 44, 9.0.0 Patch 37, and 10.0.5. Adding an adequate message to avoid malicious code will also mitigate this issue (Zimbra Advisories).

The vulnerability was discovered and reported by Aviva Lietuva and UAGDPB, demonstrating collaborative security research efforts in identifying and addressing potential threats to the Zimbra platform (Zimbra Advisories).