CVE-2023-50808: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A DOM-based JavaScript injection vulnerability was discovered in Zimbra Collaboration's Modern UI, affecting versions before Kepler 9.0.0 Patch 38 GA. The vulnerability was disclosed and patched in December 2023 (Zimbra Security, Zimbra Releases).

The vulnerability is classified as a DOM-based JavaScript injection issue specifically affecting the Modern UI interface of Zimbra Collaboration. According to the National Vulnerability Database, it received a CVSS v3.1 base score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), while CISA-ADP assessed it at 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). The vulnerability is categorized under CWE-79 (Cross-site Scripting) (NVD).

The vulnerability could allow attackers to execute arbitrary JavaScript code within the context of the Modern UI, potentially leading to unauthorized access to sensitive information and possible manipulation of the user interface (NVD).

The vulnerability has been fixed in Zimbra Collaboration Kepler 9.0.0 Patch 38 GA. Users are advised to upgrade to this version or later to mitigate the risk. The fix includes security-related improvements to prevent DOM-based JavaScript injection in the Modern UI (Zimbra Releases).