CVE-2024-45511

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45511
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A reflected Cross-Site Scripting (XSS) issue exists through the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing to a shared folder containing a malicious file uploaded by the attacker. The vulnerability allows the attacker to execute arbitrary JavaScript in the context of the victim's session.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://wiki.zimbra.com/wiki/Security_Center Vendor Advisory
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy Product
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:*:*:*:*:*:*:*
History

11 Jun 2025, 21:16

Type Values Removed Values Added
First Time Synacor
Synacor zimbra Collaboration Suite
References () https://wiki.zimbra.com/wiki/Security_Center - () https://wiki.zimbra.com/wiki/Security_Center - Vendor Advisory
References () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes - () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes - Release Notes
References () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes - () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes - Release Notes
References () https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy - () https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy - Product
CPE cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:10.1.0:*:*:*:*:*:*:*
Summary
  • (es) Se descubrió un problema en Zimbra Collaboration (ZCS) hasta la versión 10.1. Existe un problema de cross site scripting (XSS) reflejado a través del módulo Briefcase debido a una desinfección incorrecta del contenido de los archivos por parte del formateador OnlyOffice. Esto ocurre cuando la víctima abre una URL manipulada que apunta a una carpeta compartida que contiene un archivo malicioso cargado por el atacante. La vulnerabilidad permite al atacante ejecutar JavaScript arbitrario en el contexto de la sesión de la víctima.

21 Nov 2024, 13:57

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4

20 Nov 2024, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-20 19:15

Updated : 2025-06-11 21:16

NVD link : CVE-2024-45511

Mitre link : CVE-2024-45511

CVE.ORG link : CVE-2024-45511

JSON object : View

Products Affected

synacor

  • zimbra_collaboration_suite
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')