Cyber Resilience

CVE-2025-48700

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 23 June 2025

Published
23 June 2025
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1819 95.3th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48700 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

An issue was discovered in Zimbra Collaboration (ZCS) versions 8.8.15, 9.0, 10.0, and 10.1 consisting of a reflected cross-site scripting vulnerability in the Classic UI. The flaw stems from insufficient sanitization of HTML content in email messages, specifically permitting crafted tag structures and attribute values that incorporate @import directives along with other script injection vectors. It is tracked as CWE-79 with a CVSS 3.1 score of 6.1.

An unauthenticated remote attacker can exploit the vulnerability by sending a specially crafted email message. When the recipient views the message in the Classic UI, arbitrary JavaScript executes in the context of the user's session without requiring further interaction, enabling theft of sensitive information or other session-based actions.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and Zimbra has published related information through its Security Center, Security Advisories, and Responsible Disclosure Policy pages on the corporate wiki.

EU & UK References

Vulnerability details

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access…

more

to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

CWE(s)
KEV Date Added
See CISA KEV catalog

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
8.8.15, 9.0.0 · 10.0.0 — 10.0.12 · 10.1.0 — 10.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted HTML input from email messages to block the crafted tag/@import script vectors that trigger this reflected XSS.

prevent

Requires filtering of information output to users so that malicious script content is removed before rendering in the Classic UI.

prevent

Enforces information-flow rules that can prohibit script-bearing content from flowing from inbound mail into the web UI session context.

References