This vulnerability in Zimbra Collaboration Suite Classic UI arises from insufficient sanitization of HTML content in email messages, specifically involving crafted tag structures and attribute values that include an @import directive and script injection vectors. When a user views a maliciously crafted email, arbitrary JavaScript can execute in their session context, potentially exposing sensitive information. The issue affects multiple ZCS versions (8.8.15, 9.0, 10.0, and 10.1). The CVSS 3.1 base score is 6.1 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity. No patch or official remediation guidance is currently available.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session in the Zimbra Classic UI. This can lead to unauthorized disclosure of sensitive information accessible within that session. There is no indication of impact on system availability. The vulnerability requires the victim to view a crafted email but no further interaction. No known exploits are reported in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution when opening emails from untrusted sources. Administrators may consider disabling or restricting use of the Classic UI if feasible. Monitor vendor channels for updates and apply patches promptly once released.