CVE-2024-27443
Published: 12 August 2024
Summary
CVE-2024-27443 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Zimbra Collaboration. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-27443 is a reflected cross-site scripting vulnerability in Zimbra Collaboration Suite (ZCS) versions 9.0 and 10.0. The flaw resides in the CalendarInvite handling code of the classic webmail interface and stems from insufficient validation of the calendar header field in incoming messages, allowing an attacker-supplied script to be rendered and executed when the message is viewed.
An unauthenticated remote attacker can exploit the issue by sending a single email containing a crafted calendar attachment or header with an embedded JavaScript payload. When the recipient opens the message in the classic Zimbra web client, the payload executes in the context of the victim’s authenticated session, enabling theft of session cookies, account takeover, or other actions within the mail application.
Zimbra addressed the vulnerability in the 9.0.0 P39 and 10.0.7 releases; administrators are advised to apply these updates promptly. The flaw is also listed in CISA’s Known Exploited Vulnerabilities catalog, and ESET has linked related activity to the Operation RoundPress campaign targeting Zimbra deployments. The associated EPSS score has remained in the 0.33 range without a pronounced post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24646
Vulnerability details
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header.…
more
An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
- CWE(s)
- KEV Date Added
- 19 May 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (here the calendar header) to reject or sanitize untrusted data before it is rendered, eliminating the XSS payload.
Requires filtering or encoding of information output to browsers, preventing the embedded script in the CalendarInvite header from executing.
Provides malicious-code inspection of inbound email content that can block or alert on the crafted calendar header before it reaches the classic UI.