CVE-2024-27443

critical-risk

Published 2024-08-12

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Do I need to act?

32.4% chance of exploitation in next 30 days

EPSS score — higher than 68% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Collaboration

Affected Vendors

Zimbra

References (4)

Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes

Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-...

Press/Media Coverage https://www.welivesecurity.com/en/eset-research/operation-roundpress/

/ 100

critical-risk

Severity 23/34 · High

Exploitability 23/34 · High

Exposure 24/34 · High