Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy