An XSS vulnerability discovered in Zimbra could allow hackers to remotely execute malicious JavaScript code

A critical security flaw has been discovered in Zimbra Collaboration Suite (ZCS) that could allow hackers to execute malicious JavaScript code.
This high-level vulnerability was found in the Zimbra webmail management interface, identified as CVE-2024-33533 (https://nvd.nist.gov/vuln/detail/CVE-2024-33533).
The impact of this vulnerability is serious, as it can lead to unauthorized access to sensitive information, session hijacking, and complete control of the affected user’s session.
Along with CVE-2024-33533 (https://nvd.nist.gov/vuln/detail/CVE-2024-33533), two other vulnerabilities have been identified:
This vulnerability CVE-2024-33536 (https://nvd.nist.gov/vuln/detail/CVE-2024-33536) was found in Zimbra Collaboration (ZCS) versions 9.0 and 10.0. The vulnerability is due to insufficient validation of the res parameter, which could allow a logged-in attacker to inject and execute unauthorized JavaScript code in the context of another user’s web session.
The vulnerability identified in this CVE-2024-33535 (https://nvd.nist.gov/vuln/detail/CVE-2024-33535) in Zimbra Collaboration 9.0 and 10.0 includes unauthenticated local file injection (LFI (https://kmb.cybber .ru/web/lfi/main.html)) contains a vulnerability. This flaw could allow attackers to inject files into the server through a web application, which could lead to further exploitation.