CRITICAL: Zimbra Classic Web Client Flaw Lets a Single Crafted Email Hijack Your Inbox
Zimbra shipped an emergency fix for a critical stored cross-site scripting flaw in its Classic Web Client that lets a crafted email run malicious code inside a victim's authenticated session the moment they open it. Google's Threat Analysis Group reported it, no CVE is assigned yet, and administrators should upgrade to Collaboration Suite 10.1.19 immediately.