A Non-persistent (aka Reflected) XSS vulnerability exists in the AJAX web client. Details to follow.
Fixed in: ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 Updated: - https://wiki.zimbra.com/wiki/Security_Center - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories - https://wiki.zimbra.com/wiki/Zimbra_Security_Center_Acknowledgements