← Volver a CVEs
CVE-2024-27443
MEDIUMCISA KEV6.1
Descripcion
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Detalles CVE
Puntuacion CVSS v3.16.1
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado8/12/2024
Ultima modificacion10/31/2025
Fuentekev
Avistamientos honeypot0
CISA KEV
VendedorSynacor
ProductoZimbra Collaboration Suite (ZCS)
Nombre vulnerabilidadSynacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Fecha inclusion KEV2025-05-19
Fecha limite remediacion2025-06-09
Uso en ransomwareUnknown
Productos afectados
zimbra:collaboration
Debilidades (CWE)
CWE-79CWE-79
Referencias
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.welivesecurity.com/en/eset-research/operation-roundpress/(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.