CVE-2024-27443
published 2024-08-12CVE-2024-27443: An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-06-09
Exploited in the wild
EPSS
19.54%
97.0th percentile
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zimbra | collaboration | — | — |
| zimbra | collaboration | >= 10.0.0 < 10.0.7 | 10.0.7 |
Detection & IOCsextracted from sources · hover to see the quote
path/js/zimbraMail/share/model/ZmSettings.js
- →Detect exploitation attempts by monitoring for crafted calendar invite emails containing the X-Zimbra-Calendar-Intended-For header with embedded JavaScript (including base64-encoded payloads), as APT28 embedded a hidden script that decoded and executed base64 JavaScript when the invite was viewed. ↗
- →Look for HTTP POST requests from Zimbra webmail sessions to hardcoded external C2 addresses — the malicious payload exfiltrates credentials, contacts, webmail settings, login history, 2FA data, and passwords via HTTP POST. ↗
- →Detect invisible input fields injected into the Zimbra webmail DOM — the payload creates invisible input fields to trick browsers or password managers into autofilling stored credentials. ↗
- →Use Shodan/FOFA fingerprints to identify exposed vulnerable Zimbra instances: favicon hashes 1624375939 and 475145467, and HTML body containing 'zimbra collaboration suite web client'.
- →Flag Zimbra Collaboration versions 9.0.0 (before P39) and >= 10.0.0 < 10.0.7 as vulnerable; version can be extracted from /js/zimbraMail/share/model/ZmSettings.js via the CLIENT_VERSION field.
- →The payload executes solely upon opening the malicious email — no clicks, redirections, or user input required — so email gateway inspection of calendar invite headers is critical for early detection. ↗
- →The payload has no persistence — it only executes when the malicious email is opened, so forensic investigation should focus on email open events and associated outbound HTTP POST activity rather than persistent artifacts. ↗
- ·The Nuclei template detection method is passive/version-based only (checks ZmSettings.js for version string) and does not actively confirm XSS exploitability — it will flag any unpatched instance regardless of actual attack traffic.
- ·Each malicious script has a slightly different set of capabilities adjusted per target product, meaning C2 addresses and payload structure will vary per campaign instance and cannot be universally fingerprinted from public reporting alone. ↗
- ·Affected versions span three patch branches: 8.8.15 (before P46), 9.0.0 (before P39), and 10.x (before 10.0.7) — detection rules scoped only to 9.x/10.x will miss 8.8.15 deployments. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
cisa·2025-05-19·CVSS 6.1
CVE-2024-27443 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes ; https://
GHSA
GHSA-qrvg-mg33-q843: An issue was discovered in Zimbra Collaboration (ZCS) 9
ghsa_unreviewed·2024-08-12
CVE-2024-27443 [MEDIUM] CWE-79 GHSA-qrvg-mg33-q843: An issue was discovered in Zimbra Collaboration (ZCS) 9
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
vulncheck·2024·CVSS 6.1
CVE-2024-27443 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.welivesecurity.com/en/eset-research/operation-roundpress/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities
No detection rules found.
Nuclei
Zimbra Collaboration - Cross-Site Scripting (XSS)
nuclei·CVSS 6.1
CVE-2024-27443 [MEDIUM] Zimbra Collaboration - Cross-Site Scripting (XSS)
Zimbra Collaboration - Cross-Site Scripting (XSS)
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload.
Template:
id: CVE-2024-27443
info:
name: Zimbra Collaboration - Cross-Site Scripting (XSS)
author: rxerium
severity: medium
description: |
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input
2024-08-12
Published
2025-05-19
Added to CISA KEV
Exploited in the wild