Two XSS vulnerabilities have been discovered in Zimbra Collaboration (initially in version 8.8.8). Zimbra Collaboration is an open source messaging and collaboration solution.

Vulnerability records

CVE ID: CVE-2018-14013

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-79

CVSS Base Score: 6.1



Two Reflected XSS vulnerabilities allow remote attackers to inject arbitrary JavaScript in web browsers.

Proof of Concept 1: Reflected XSS

To reproduce the first XSS, login to and click on the link below:""><svg onload=alert(1)>

Proof of Concept 2: DOM-based XSS

  1. First, login to

  2. Click on "Preferences", then on "Import / Export".

  3. Finally, just import a file named test.<svg onload=alert(2)> to get the second XSS payload executed.

Affected versions

Versions < 8.8.11.


Update to version 8.8.11 which includes all fixes.

Timeline (dd/mm/yyyy)

  • 12/07/2018 : Initial discovery
  • 21/07/2018 : Vendor notification
  • 21/07/2018 : Vendor acknowledgment
  • 18/10/2018 : Vendor partial fixes in ZCS 8.8.10 patch 1 and 8.8.9 patch 6 (XSS 1)
  • 18/12/2018 : Vendor full fixes in ZCS 8.8.11 (XSS 2)
  • 30/01/2019 : Public disclosure


Thanks to the Zimbra security team for the perfect report handling!