{"id":"CVE-2024-45510","details":"An issue was discovered in Zimbra Collaboration (ZCS) through 10.0. Zimbra Webmail (Modern UI) is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper sanitization of user input. This allows an attacker to inject malicious code into specific fields of an e-mail message. When the victim adds the attacker to their contacts, the malicious code is stored and executed when viewing the contact list. This can lead to unauthorized actions such as arbitrary mail sending, mailbox exfiltration, profile picture alteration, and other malicious actions. Proper sanitization and escaping of input fields are necessary to mitigate this vulnerability.","modified":"2026-04-10T05:17:49.087191Z","published":"2024-11-20T20:15:18.943Z","references":[{"type":"WEB","url":"https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Security_Center"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-build","events":[{"introduced":"0"},{"fixed":"b6cd8f69d2761c014d4a3807f0bdee0011386444"},{"introduced":"b68c7b31a1d94f94903a79c53f1bd316b792de1d"},{"fixed":"2c67cbdfaebf6a71928749b7146f4852876b63ff"},{"introduced":"0"},{"last_affected":"b6cd8f69d2761c014d4a3807f0bdee0011386444"},{"introduced":"0"},{"last_affected":"5561a39cba0898c3bb5e188284d98f498d7a3c9a"},{"introduced":"0"},{"last_affected":"5561a39cba0898c3bb5e188284d98f498d7a3c9a"},{"introduced":"0"},{"last_affected":"d3209df466110d214b2ab6593f931a59c2127db8"},{"introduced":"0"},{"last_affected":"c8a93da38fd1572d864c1becbcc772ba91ee4403"},{"introduced":"0"},{"last_affected":"202d83762fca70b7403c144e1fedddc6cd4930a6"},{"introduced":"0"},{"last_affected":"a163a5dc09ec091fed86421118ec56c90384997a"},{"introduced":"0"},{"last_affected":"b2faf1c074bf6e2f4f76acd11b9ad5a0b4caec40"},{"introduced":"0"},{"last_affected":"0bea2f7ec388cc09cb3de4ee93344df2695b91a8"},{"introduced":"0"},{"last_affected":"9173353f25559ed524c7a40c799056c01c3418d4"},{"introduced":"0"},{"last_affected":"c27b145236b09c5487259d943dd54ffdea0ccbb3"},{"introduced":"0"},{"last_affected":"8d7f3750f42f0a59d61c1b44d8df1000a52ce9f2"},{"introduced":"0"},{"last_affected":"bc50e7d47c56532b226a1c88c8011127e006940b"},{"introduced":"0"},{"last_affected":"03d99a16095b73a73770fbb6131d10234cfc13fd"},{"introduced":"0"},{"last_affected":"bcb978ccc354d99d843725886083e321759b6765"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.0.0"},{"introduced":"10.0.0"},{"fixed":"10.0.9"},{"introduced":"0"},{"last_affected":"9.0.0-NA"},{"introduced":"0"},{"last_affected":"9.0.0-p1"},{"introduced":"0"},{"last_affected":"9.0.0-p19"},{"introduced":"0"},{"last_affected":"9.0.0-p20"},{"introduced":"0"},{"last_affected":"9.0.0-p23"},{"introduced":"0"},{"last_affected":"9.0.0-p25"},{"introduced":"0"},{"last_affected":"9.0.0-p26"},{"introduced":"0"},{"last_affected":"9.0.0-p27"},{"introduced":"0"},{"last_affected":"9.0.0-p28"},{"introduced":"0"},{"last_affected":"9.0.0-p33"},{"introduced":"0"},{"last_affected":"9.0.0-p36"},{"introduced":"0"},{"last_affected":"9.0.0-p37"},{"introduced":"0"},{"last_affected":"9.0.0-p38"},{"introduced":"0"},{"last_affected":"9.0.0-p4"},{"introduced":"0"},{"last_affected":"9.0.0-p7"}]}},{"type":"GIT","repo":"https://github.com/zimbra/zm-mailbox","events":[{"introduced":"0"},{"last_affected":"943f2188be659dbccc17e6082dc0c542f9debea4"},{"introduced":"0"},{"last_affected":"82e2bdc9c525585c3d3c2bb383ed80b1feaf878e"},{"introduced":"0"},{"last_affected":"e641be6dd504882bd357015c8012195d5bb49da2"},{"introduced":"0"},{"last_affected":"e641be6dd504882bd357015c8012195d5bb49da2"},{"introduced":"0"},{"last_affected":"52c811a0259419b4e3d177f80c0ba7562d375cfa"},{"introduced":"0"},{"last_affected":"459d2044a9a205efee2b8998be41762876174dde"},{"introduced":"0"},{"last_affected":"497eef64675f6ae63972c50c24e26048640748f6"},{"introduced":"0"},{"last_affected":"dbe58ce9fb59913993aa2d7a5f2c28a292ee4a86"},{"introduced":"0"},{"last_affected":"63c14463c4393c0fcdec4a470e448d1d7dab76d1"},{"introduced":"0"},{"last_affected":"83f33002916b0d752667a29a7fcf865af4609e7a"},{"introduced":"0"},{"last_affected":"19ec057977b93892ef40c4d4d68b578bb8e4dea0"},{"introduced":"0"},{"last_affected":"848af7d9e2467b794b51a49afe3d1edef3ce6b66"},{"introduced":"0"},{"last_affected":"4576339cd43ab64c19dc87591825ab51cb79f07a"},{"introduced":"0"},{"last_affected":"2d2629d018b23dba6b5e984860724832adbe7014"},{"introduced":"0"},{"last_affected":"bcce34b646ae27b931802d859d47e4adfe981635"},{"introduced":"0"},{"last_affected":"f11cd2739a33347b5035c138813fd117378ec5c9"},{"introduced":"0"},{"last_affected":"69380ca2440983320d3262ef155852dbd5bac4f5"},{"introduced":"0"},{"last_affected":"31856510b3e72583143b1464bae867772e303bab"},{"introduced":"0"},{"last_affected":"a6fdb2b0bbe8c189fd212d798f71f183fd3318ba"},{"introduced":"0"},{"last_affected":"f323d75b09d42a6313b47d9a74aae96ec66aa1f8"},{"introduced":"0"},{"last_affected":"7d74bc7bfd7f78c7261d0e52baf42716630fc3f0"},{"introduced":"0"},{"last_affected":"10b7ff251aee6f4770ad75377a1f81491ad5bdb9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.0.0-p10"},{"introduced":"0"},{"last_affected":"9.0.0-p11"},{"introduced":"0"},{"last_affected":"9.0.0-p13"},{"introduced":"0"},{"last_affected":"9.0.0-p14"},{"introduced":"0"},{"last_affected":"9.0.0-p16"},{"introduced":"0"},{"last_affected":"9.0.0-p17"},{"introduced":"0"},{"last_affected":"9.0.0-p18"},{"introduced":"0"},{"last_affected":"9.0.0-p2"},{"introduced":"0"},{"last_affected":"9.0.0-p22"},{"introduced":"0"},{"last_affected":"9.0.0-p24"},{"introduced":"0"},{"last_affected":"9.0.0-p24\\.1"},{"introduced":"0"},{"last_affected":"9.0.0-p29"},{"introduced":"0"},{"last_affected":"9.0.0-p3"},{"introduced":"0"},{"last_affected":"9.0.0-p30"},{"introduced":"0"},{"last_affected":"9.0.0-p32"},{"introduced":"0"},{"last_affected":"9.0.0-p34"},{"introduced":"0"},{"last_affected":"9.0.0-p39"},{"introduced":"0"},{"last_affected":"9.0.0-p40"},{"introduced":"0"},{"last_affected":"9.0.0-p5"},{"introduced":"0"},{"last_affected":"9.0.0-p6"},{"introduced":"0"},{"last_affected":"9.0.0-p8"},{"introduced":"0"},{"last_affected":"9.0.0-p9"}]}}],"versions":["10.0.0-GA","10.0.1","10.0.4","10.0.5","10.0.6","8.7.10","8.7.11","8.7.6","8.7.7","8.7.9","8.8.0.beta1","8.8.10","8.8.12","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9","8.8.9.p1","8.8.9.p3","9.0.0","9.0.0.U20","9.0.0.p1","9.0.0.p10","9.0.0.p11","9.0.0.p13","9.0.0.p14","9.0.0.p16","9.0.0.p17","9.0.0.p18","9.0.0.p19","9.0.0.p2","9.0.0.p20","9.0.0.p22","9.0.0.p23","9.0.0.p24","9.0.0.p24.1","9.0.0.p25","9.0.0.p26","9.0.0.p27","9.0.0.p28","9.0.0.p29","9.0.0.p3","9.0.0.p30","9.0.0.p32","9.0.0.p33","9.0.0.p34","9.0.0.p36","9.0.0.p37","9.0.0.p38","9.0.0.p39","9.0.0.p4","9.0.0.p40","9.0.0.p5","9.0.0.p6","9.0.0.p7","9.0.0.p7.1","9.0.0.p8","9.0.0.p9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0.0-p12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-p15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-p21"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-p31"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-p35"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45510.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}