A Non-persistent (aka Reflected) XSS vulnerability exists in the HTML web client. Details to follow.
Fixed in 8.8.11 - https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11
ZCS 8.8.9 Patch 9, ZCS 8.8.10 Patch 5 and ZCS 8.8.11 Patch 1 were released January 4, 2019. The releases include security fixes for: - CVE-2018-20160 / Bug 109093 - XXE - Chat (CWE-611) - CVE-2018-14013 / Bug 109017 - Non-persistent XSS - Web Client (CWE 79) Note: this fix is already in the ZCS 8.8.11 release