VDB

CVE-2024-27443

CVE-2024-27443 PUBLISHED KEV CVSS 8.5 HIGH

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

EPSS 32.43% · 97.0th percentile

Risk Scores

CVSS 4.0
8.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
32.43%
97.0th percentile

Affected Products

VendorProductVersions
n/an/an/a, n/a
zimbracollaboration10.0.0, 9.0.0, 9.0.0

Exploit Intelligence

…and 42 more exploits

Timeline

  • Feb 28, 2024 CVE Published
  • Aug 12, 2024 PoC Published
  • Aug 13, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Nov 20, 2024 Coalition ESS Score
  • Feb 18, 2025 Coalition ESS Score
  • Mar 19, 2025 Coalition ESS Score
  • May 16, 2025 PoC Published
  • May 19, 2025 CISA KEV Added
  • May 19, 2025 PoC Published
  • May 19, 2025 PoC Published
  • May 19, 2025 PoC Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›