CVE-2024-27443

6.1 MEDIUM CISA KEV - Actively Exploited
Published: August 12, 2024 Modified: October 31, 2025
View on NVD

Description

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes
Source: cve@mitre.org
Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes
Source: cve@mitre.org
Release Notes
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource
https://www.welivesecurity.com/en/eset-research/operation-roundpress/
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Press/Media Coverage

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
26.7%
96th percentile
Exploitation Status
Actively Exploited
Remediation due: 2025-06-09

Weaknesses (CWE)

CWE-79 CWE-79

Affected Vendors

zimbra

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3