{"id":"CVE-2020-13653","details":"An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. It allows an attacker to inject executable JavaScript into the account name of a user's profile. The injected code can be reflected and executed when changing an e-mail signature.","modified":"2026-04-10T04:22:22.728994Z","published":"2020-07-02T16:15:11.577Z","references":[{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Security_Center"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P11"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P4"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-build","events":[{"introduced":"0"},{"fixed":"ac6081fa002b1511e926aba37740d2b6c20f3f43"},{"introduced":"0"},{"last_affected":"ac6081fa002b1511e926aba37740d2b6c20f3f43"},{"introduced":"0"},{"last_affected":"29eea219faf34718f0ef1cda7c3f02c89910c96c"},{"introduced":"0"},{"last_affected":"905970576d6fe337150f09c0ad7a0f53aa1a8f42"},{"introduced":"0"},{"last_affected":"0e40da921adb967639011de45841cef4c4601413"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.8.15"},{"introduced":"0"},{"last_affected":"8.8.15-NA"},{"introduced":"0"},{"last_affected":"8.8.15-p1"},{"introduced":"0"},{"last_affected":"8.8.15-p3"},{"introduced":"0"},{"last_affected":"8.8.15-p5"}]}},{"type":"GIT","repo":"https://github.com/zimbra/zm-mailbox","events":[{"introduced":"0"},{"last_affected":"e9ebb1ed89f27827ea1963d1329b1f8335aba9ac"},{"introduced":"0"},{"last_affected":"8dd758add476db0ee9a7c1abab136e30ebde01b2"},{"introduced":"0"},{"last_affected":"efd11afe1b526bb03f59b699aaadf6a1449e0244"},{"introduced":"0"},{"last_affected":"d093cdf68ec6716be445c653277f602739a5086b"},{"introduced":"0"},{"last_affected":"a12b964a206748de6db6dc1da2ee16249aabafce"},{"introduced":"0"},{"last_affected":"58996926d8f031827e03ec788d69fd2d16739b1a"},{"introduced":"0"},{"last_affected":"d31ba9d45eb31100ea30461dd859a5a9663b1e4a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.8.15-p10"},{"introduced":"0"},{"last_affected":"8.8.15-p2"},{"introduced":"0"},{"last_affected":"8.8.15-p4"},{"introduced":"0"},{"last_affected":"8.8.15-p6"},{"introduced":"0"},{"last_affected":"8.8.15-p7"},{"introduced":"0"},{"last_affected":"8.8.15-p8"},{"introduced":"0"},{"last_affected":"8.8.15-p9"}]}}],"versions":["8.8.10","8.8.12","8.8.15","8.8.15.p1","8.8.15.p10","8.8.15.p11","8.8.15.p2","8.8.15.p3","8.8.15.p4","8.8.15.p5","8.8.15.p6","8.8.15.p7","8.8.15.p8","8.8.15.p9","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13653.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}