← Voltar para CVEs
CVE-2024-27443
MEDIUMCISA KEV6.1
Descricao
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Detalhes CVE
Pontuacao CVSS v3.16.1
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioREQUIRED
Publicado8/12/2024
Ultima modificacao10/31/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorSynacor
ProdutoZimbra Collaboration Suite (ZCS)
Nome da vulnerabilidadeSynacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Data inclusao KEV2025-05-19
Prazo de remediacao2025-06-09
Uso em ransomwareUnknown
Produtos afetados
zimbra:collaboration
Fraquezas (CWE)
CWE-79CWE-79
Referencias
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.welivesecurity.com/en/eset-research/operation-roundpress/(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.