← Retour aux CVEs
CVE-2024-27443
MEDIUMCISA KEV6.1
Description
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Details CVE
Score CVSS v3.16.1
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurREQUIRED
Publie8/12/2024
Derniere modification10/31/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurSynacor
ProduitZimbra Collaboration Suite (ZCS)
Nom vulnerabiliteSynacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Date ajout KEV2025-05-19
Date limite remediation2025-06-09
Utilise dans ransomwareUnknown
Produits affectes
zimbra:collaboration
Faiblesses (CWE)
CWE-79CWE-79
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.welivesecurity.com/en/eset-research/operation-roundpress/(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.