← Zuruck zu CVEs
CVE-2024-27443
MEDIUMCISA KEV6.1
Beschreibung
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
CVE Details
CVSS v3.1 Bewertung6.1
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionREQUIRED
Veroffentlicht8/12/2024
Zuletzt geandert10/31/2025
Quellekev
Honeypot-Sichtungen0
CISA KEV
HerstellerSynacor
ProduktZimbra Collaboration Suite (ZCS)
SchwachstellennameSynacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
KEV Aufnahmedatum2025-05-19
Behebungsfrist2025-06-09
Ransomware-NutzungUnknown
Betroffene Produkte
zimbra:collaboration
Schwachen (CWE)
CWE-79CWE-79
Referenzen
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.welivesecurity.com/en/eset-research/operation-roundpress/(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.