CVE-2024-45515: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Zimbra Collaboration (ZCS) through version 10.1. The vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. This vulnerability was assigned CVE-2024-45515 and was disclosed in September 2024 (Zimbra Security).

The vulnerability stems from inadequate validation of content type metadata during file import operations in the briefcase feature of Zimbra webmail. The CVSS 3.1 base score for this vulnerability is 6.1 (MEDIUM), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows attackers to bypass content type checks and execute arbitrary JavaScript within the victim's session. This could lead to unauthorized access to user data and potential session hijacking (Zimbra Releases).

The vulnerability has been patched in Zimbra Collaboration versions 10.0.9 and 10.1.1. Users are strongly advised to upgrade to these or later versions to mitigate the risk (Zimbra Releases).