CVE-2024-27443

MEDIUM KEV NUCLEI

Zimbra Collaboration - Cross-Site Scripting (XSS)

Title source: nuclei

Description

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Nuclei Templates (1)

Zimbra Collaboration - Cross-Site Scripting (XSS)

MEDIUMVERIFIEDby rxerium

Shodan: http.favicon.hash:"1624375939" || http.html:"zimbra collaboration suite web client" || http.favicon.hash:"475145467"

FOFA:

icon_hash="1624375939" || app="zimbra-邮件系统" || body="zimbra collaboration suite web client" || icon_hash="475145467"

References (4)

[Release Notes] https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes

[Release Notes] https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443

[Press/Media Coverage] https://www.welivesecurity.com/en/eset-research/operation-roundpress/

Scores

CVSS v3 6.1

EPSS 0.3243

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CISA KEV 2025-05-19

VulnCheck KEV 2025-05-15

ENISA EUVD EUVD-2024-24646

CWE

CWE-79

Status published

Products (2)

zimbra/collaboration 9.0.0 (37 CPE variants)

zimbra/collaboration 10.0.0 - 10.0.7

Published Aug 12, 2024

KEV Added May 19, 2025

Tracked Since Feb 18, 2026