CVE-2025-66376 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting Zimbra Collaboration Suite (ZCS) versions 10.0 prior to 10.0.18 and 10.1 prior to 10.1.13. The vulnerability stems from improper neutralization of input during web page generation in the Classic UI, specifically through the handling of Cascading Style Sheets (CSS) @import directives embedded within HTML email messages. When a maliciously crafted email containing a CSS @import directive is viewed, the Classic UI fails to sanitize this input properly, allowing the attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to unauthorized actions such as session hijacking, credential theft, or the execution of malicious payloads. The vulnerability does not require authentication or user interaction, increasing its exploitability. The CVSS 3.1 base score of 7.2 reflects a high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable module. Although no public exploits have been reported, the nature of stored XSS in a widely used collaboration platform makes it a significant concern. The lack of available patches at the time of reporting necessitates immediate mitigation strategies to reduce exposure.

The impact of CVE-2025-66376 is considerable for organizations using vulnerable Zimbra Collaboration versions. Successful exploitation can lead to the execution of arbitrary scripts in users' browsers, potentially resulting in theft of sensitive information such as session cookies, credentials, or corporate data. This can facilitate further attacks like account takeover, privilege escalation, or lateral movement within an organization's network. Since the vulnerability is stored XSS, the malicious payload persists and can affect multiple users who view the compromised email. The absence of authentication or user interaction requirements lowers the barrier for attackers, increasing the risk of widespread exploitation. Organizations relying on Zimbra for email and collaboration, especially those handling sensitive or regulated data, face risks to confidentiality and integrity. Although availability impact is low, the breach of trust and potential data leakage can have severe reputational and compliance consequences. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the initial vulnerable module, potentially increasing the attack surface and impact.

1. Apply patches promptly once Zimbra releases updates for versions 10.0 and 10.1 addressing this vulnerability. Monitor official Zimbra advisories for patch availability. 2. Implement strict email content filtering at the gateway level to block or sanitize emails containing suspicious CSS @import directives or other potentially malicious HTML content. 3. Configure the Classic UI or switch to alternative user interfaces that do not process CSS @import directives in a vulnerable manner, if feasible. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources from which CSS and scripts can be loaded. 5. Educate users about the risks of opening suspicious emails and encourage reporting of unusual email behavior. 6. Monitor logs and network traffic for signs of exploitation attempts, such as unusual script execution or anomalous requests originating from user sessions. 7. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Zimbra Collaboration. 8. Regularly audit and review email client configurations and security settings to ensure they adhere to best practices for input validation and content sanitization.