CVE-2024-27443 - Synacor Zimbra Collaboration Suite (ZCS)
AI Vulnerability ContextAn issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this mess...
Overview
A source-backed snapshot of this vulnerability.
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Vulnerability status
How serious this vulnerability is and whether it is known to be exploited.
- CVE ID
- CVE-2024-27443
- Vendor/project
- Synacor
- Product
- Zimbra Collaboration Suite (ZCS)
- Vulnerability name
- Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
- Date added
- 2025-05-19
- Due date
- 2025-06-09
- Known ransomware campaign use
- Unknown
- CVSS v3
- 6.1
Exploit context
What the vulnerability is about.
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Source evidence
Original public records and references for this page.
Original source
Original source links
Open the public records and source datasets used for this page.
