CVE-2024-27443
CVE-2024-27443
Vexday Risk Score
63High priority
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 6.1EPSS 19.5%KEV simPoC —Nuclei simMetasploit —Patch —
Lifecycle
12 Aug 2024Published on NVD
19 May 2025Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
A security flaw in Zimbra Collaboration's calendar feature allows attackers to inject malicious code into email messages. When a victim opens these emails in the webmail interface, the code runs in their browser, potentially compromising their account.
Technical detail
Cross-Site Scripting (XSS) vulnerability in Zimbra ZCS 9.0 and 10.0 CalendarInvite feature due to improper input validation of calendar headers. Attack vector is email-based; attacker crafts a calendar header with XSS payload that executes in the victim's session context when viewed in webmail classic interface, enabling arbitrary JavaScript execution and session compromise.
Summary generated and translated by AI from the official description.
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →