Actively exploited in the wild
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor — Zimbra Collaboration Suite (ZCS) · Listed in the CISA KEV since 2025-02-25. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2023-34192
CriticalCVSS 9.0KEVExploitation Probability (EPSS)
Very high risk100th percentile — higher than 100% of all known CVEs
Summary
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
Risk Assessment
An attacker could exploit this vulnerability to gain control over the system or steal user data, posing a significant threat to the organization's security.
Recommendation
It is recommended to update Zimbra ZCS to the latest version to mitigate this vulnerability and conduct a security audit of the application.
Original NVD description (English source)
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

