Login Sign Up

CVE-2024-45510

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in Zimbra Collaboration allows attackers to inject malicious JavaScript into email fields. When victims add attacker-controlled contacts, the code executes in their webmail session, potentially enabling unauthorized email sending, data theft, and account manipulation. All Zimbra Collaboration users with Modern UI are affected.

💻 Affected Systems

Products:
  • Zimbra Collaboration Suite
Versions: Through 10.0 (specifically fixed in 10.0.9, 10.1.1, and 9.0.0 P41)
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Zimbra Webmail Modern UI interface

📦 What is this software?

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

Zimbra Collaboration Suite by Synacor

View all CVEs affecting Zimbra Collaboration Suite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account compromise allowing attackers to send emails as the victim, exfiltrate all mailbox contents, modify account settings, and maintain persistent access.

🟠

Likely Case

Attackers send phishing emails from victim's account, steal sensitive emails, and modify contact information to maintain access.

🟢

If Mitigated

No impact if proper input sanitization is implemented or if the vulnerability is patched.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires user interaction (adding contact) but exploitation is straightforward once malicious email is received

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.9, 10.1.1, or 9.0.0 Patch 41

Vendor Advisory: https://wiki.zimbra.com/wiki/Security_Center

Restart Required: Yes

Instructions:

1. Backup your Zimbra installation. 2. Download appropriate patch version from Zimbra website. 3. Stop Zimbra services. 4. Apply the patch. 5. Restart Zimbra services. 6. Verify the update.

🔧 Temporary Workarounds

Disable Modern UI

linux

Switch to Classic UI which may not be vulnerable

zmprov mcf zimbraFeatureModernUIEnabled FALSE
zmmailboxdctl restart

Input Filtering

all

Implement WAF rules to filter suspicious HTML/JavaScript in contact fields

🧯 If You Can't Patch

  • Implement strict Content Security Policy headers to limit script execution
  • Educate users about risks of adding unknown contacts and suspicious email content

🔍 How to Verify

Check if Vulnerable:

Check Zimbra version against affected versions. Test by attempting to inject script tags in contact fields.

Check Version:

zmcontrol -v

Verify Fix Applied:

Verify Zimbra version is 10.0.9, 10.1.1, or 9.0.0 P41 or later. Test XSS payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual contact additions
  • JavaScript execution in contact fields
  • Multiple failed XSS attempts

Network Indicators:

  • Unexpected outbound emails from user accounts
  • Unusual data exfiltration patterns

SIEM Query:

source="zimbra.log" AND ("contact.add" OR "script" OR "javascript")

📊 Metadata

CVE ID: CVE-2024-45510
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: November 20, 2024
Last Updated: June 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45510, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)