← back
CVE-2024-27443

CVE-2024-27443

CVSS 6.1 MEDIUMEPSS 19.5%● KEVCWE-79
In short

A security flaw in Zimbra Collaboration's calendar feature allows attackers to inject malicious code into email messages. When a victim opens these emails in the webmail interface, the code runs in their browser, potentially compromising their account.

Technical detail

Cross-Site Scripting (XSS) vulnerability in Zimbra ZCS 9.0 and 10.0 CalendarInvite feature due to improper input validation of calendar headers. Attack vector is email-based; attacker crafts a calendar header with XSS payload that executes in the victim's session context when viewed in webmail classic interface, enabling arbitrary JavaScript execution and session compromise.

Summary generated and translated by AI from the official description.
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixeshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443https://www.welivesecurity.com/en/eset-research/operation-roundpress/