PatchSiren cyber security CVE debrief

CVE-2016-3407 Synacor CVE debrief

CVE-2016-3407 covers multiple cross-site scripting (XSS) issues in Zimbra Collaboration before 8.7.0. According to NVD, the flaw allows remote attackers to inject arbitrary web script or HTML through unspecified vectors, and the CVSS v3.0 vector shows user interaction is required. The affected CPE range in NVD includes Zimbra Collaboration Suite through 8.6.0, while the vendor-linked references point to Zimbra 8.7.0 release notes and security advisories as the relevant fix context.

Vendor: Synacor
Product: CVE-2016-3407
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-18
Original CVE updated: 2026-05-13
Advisory published: 2017-01-18
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running Zimbra Collaboration Suite, especially deployments at or below 8.6.0, should treat this as a web-facing client-side injection issue that can affect logged-in users who open malicious content or interact with crafted data.

Technical summary

NVD describes CVE-2016-3407 as multiple XSS vulnerabilities in Zimbra Collaboration before 8.7.0, associated with bugs 104222, 104910, 105071, and 105175. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, no privileges required, and a user interaction requirement. The primary weakness classification is CWE-79. NVD’s vulnerable CPE criteria mark synacor:zimbra_collaboration_suite up to and including 8.6.0.

Defensive priority

High for exposed or actively used Zimbra web interfaces, because XSS can enable session theft, content spoofing, or malicious actions in the victim’s browser when users interact with crafted input.

Recommended defensive actions

Upgrade Zimbra Collaboration to a fixed release at or beyond 8.7.0 using the vendor guidance linked from NVD.
Review the Zimbra Security Advisories and 8.7.0 release notes for the specific remediation path and any follow-on hardening steps.
Treat user-reported browser anomalies, unexpected script execution, or HTML rendering in Zimbra as potential indicators of XSS exposure.
If immediate upgrading is not possible, reduce exposure by limiting access to the Zimbra web interface to trusted networks and monitoring for suspicious user-facing content.
Validate any third-party integrations or customizations that render user-controlled content inside Zimbra for unsafe HTML handling.

Evidence notes

This debrief is based on the NVD record for CVE-2016-3407, which states the issue is multiple XSS vulnerabilities in Zimbra Collaboration before 8.7.0 and includes the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79. The NVD CPE criteria list synacor:zimbra_collaboration_suite as vulnerable through version 8.6.0. Official references in the CVE record point to Zimbra 8.7.0 release notes and Zimbra Security Advisories as vendor-linked remediation context.

Official resources

CVE-2016-3407 CVE record
CVE.org
CVE-2016-3407 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Release Notes
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the CVE record on 2017-01-18; vendor-linked remediation references point to Zimbra 8.7.0 release notes and security advisories.