CVE-2023-48432: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Zimbra Collaboration (ZCS) versions 8.8.15, 9.0, and 10.0. The vulnerability allows attackers to execute arbitrary JavaScript code and steal user sessions through a specially crafted link containing malicious JavaScript code in a webmail redirection endpoint. This vulnerability requires user interaction, specifically clicking on the malicious link within Zimbra webmail (NVD, CVE).

The vulnerability is classified as a cross-site scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability stems from improper validation of user input in the webmail redirection endpoint, which allows JavaScript code execution when a victim clicks on a specially crafted link within an email message (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session, potentially leading to session theft and unauthorized access to the victim's mailbox. The attack requires user interaction in the form of clicking a malicious link (Security Center).

The vulnerability has been fixed in Zimbra Collaboration versions 10.0.6, 9.0.0 Patch 38, and 8.8.15 Patch 45. Users are strongly advised to upgrade to these or later versions to mitigate the risk (Security Center).