CVE-2016-3999 Synacor CVE debrief

Who should care

Zimbra Collaboration administrators, email platform owners, web application security teams, and anyone operating internet-facing Zimbra deployments or user-facing mail portals.

Technical summary

The record describes multiple CWE-79 cross-site scripting vulnerabilities in Zimbra Collaboration before 8.7.0. An unauthenticated remote attacker can inject arbitrary web script or HTML via unspecified vectors, but the CVSS vector indicates user interaction is required and the impact is limited to low confidentiality and integrity, with no availability impact. NVD’s vulnerable CPE criteria marks Synacor Zimbra Collaboration Suite versions up to and including 8.6.0 as affected.

Defensive priority

Medium. Patch in the normal maintenance cycle, but prioritize faster remediation for exposed or heavily used Zimbra deployments because the flaw is remotely reachable and depends on user interaction.

Recommended defensive actions

• Upgrade Zimbra Collaboration to version 8.7.0 or later, as indicated by the vendor release notes reference.
• Inventory deployments and confirm that no instances remain on versions covered by NVD’s vulnerable CPE range through 8.6.0.
• Review the Zimbra Security Advisories page and the 8.7.0 release notes to verify the fixed version and any vendor guidance.
• Treat externally reachable Zimbra services as higher priority because the CVSS vector includes network access and user interaction requirements.

Evidence notes

The CVE was published on 2017-01-18 and the NVD record was modified on 2026-05-13; the later modified date is record maintenance context, not the original issue date. The supplied NVD metadata lists CVSS v3.0 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and CWE-79. The CVE description names bugs 104552 and 104703 and states the issue affects Zimbra Collaboration before 8.7.0. The supplied official references point to the Zimbra 8.7.0 release notes and Zimbra Security Advisories page for remediation context.

Official resources