A cross-site scripting (XSS) Zimbra security vulnerability is now actively exploited in attacks. According to Volexity, vulnerable versions of Zimbra are 8.8.15 P29 & 8.8.15 P30. Researchers at Volexity say that the attackers are exploiting the zero-day in spear-phishing campaigns to steal emails.

However, the vulnerability can also enable attackers to perform other malicious actions "in the context of the user's Zimbra webmail session," including: exfiltrating cookies to allow persistent access to a mailbox, sending phishing messages to the user's contacts, displaying prompt to download malware.

Researchers recommend users of Zimbra to upgrade to version 9.0.0.

Source: bleepingcomputer.com