Cyber Resilience

CVE-2024-50599

Medium

Published: 07 November 2024

Published
07 November 2024
Modified
17 June 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.2161 95.9th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50599 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A reflected cross-site scripting vulnerability, tracked as CVE-2024-50599, affects Zimbra Collaboration Suite version 8.8.15. The flaw resides in a webmail calendar endpoint and stems from insufficient sanitization of user-supplied input, which is echoed back unsafely in HTML responses. It carries a CVSS 3.1 base score of 6.1 and is classified under CWE-79.

An unauthenticated attacker can exploit the issue over the network by crafting a malicious URL that, when visited by a target user, causes arbitrary script to execute in the victim's browser session. Successful exploitation yields limited impacts on confidentiality and integrity within the Zimbra application context, with the attack requiring user interaction such as clicking a link.

Zimbra's security advisories and the 8.8.15/P46 release notes indicate that the vulnerability is addressed in the corresponding patch set; administrators should apply the latest maintenance release for the 8.8.15 branch and review the vendor's security wiki for additional hardening guidance. The associated EPSS score remains near 0.22 with no pronounced post-disclosure increase.

EU & UK References

Vulnerability details

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Zimbra Collaboration Suite (ZCS) 8.8.15, affecting one of the webmail calendar endpoints. This arises from improper handling of user-supplied input, allowing an attacker to inject malicious code that is reflected…

more

back in the HTML response.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
8.8.15

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References