CVE-2026-33370

{"id": "CVE-2026-33370", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T14:16:16.127", "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center", "tags": ["Vendor Advisory", "Release Notes"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 10.0 y 10.1. Existe una vulnerabilidad de cross-site scripting (XSS) almacenado en la funci\u00f3n Zimbra Briefcase debido a una sanitizaci\u00f3n insuficiente de tipos de archivos subidos espec\u00edficos. Cuando un usuario abre un archivo de Briefcase compartido p\u00fablicamente que contiene scripts maliciosos, el JavaScript incrustado se ejecuta en el contexto de la sesi\u00f3n del usuario. Esto permite a un atacante ejecutar scripts arbitrarios, lo que podr\u00eda llevar a la exfiltraci\u00f3n de datos o a otras acciones no autorizadas en nombre del usuario v\u00edctima."}], "lastModified": "2026-04-01T15:36:22.310", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8DBE536-EAB0-48FF-A195-C0DB0A7FBCA0", "versionEndExcluding": "10.1.16", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}