Abusing missing input sanitization in Zimbra ZCS leads to arbitary JavaScript being loaded when opening an email. Credits to: Securify.nl https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html
No restart are required on your Zimbra servers.
$ cd /opt/zimbra/jetty_base/webapps/zimbra/js/
$ gunzip -S zgz MailCore_all.js.zgz