VIR Vulnerability Intelligence Relay

CVE-2024-27443

unknown KEV
Published 2025-05-19 · Modified 2025-05-19
CVSS v3
CVSS v2
VIR risk
1.5

Description

Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.

CISA KEV

Vendor
Synacor
Product
Zimbra Collaboration Suite (ZCS)
Due date
2025-06-09

Predictions

Exploit likelihood
99%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes ; https://nvd.nist.gov/vuln/detail/CVE-2024-27443

Exploits

References

Verify integrity in audit chain (admin only). AS-IS.