CVE-2024-27443

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes	Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes	Release Notes
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443	US Government Resource
https://www.welivesecurity.com/en/eset-research/operation-roundpress/	Press/Media Coverage

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zimbra:collaboration::::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:-::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p0::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p1::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p10::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p11::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p12::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p13::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p14::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p15::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p16::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p19::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p2::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p20::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p21::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p23::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p24::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p25::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p26::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p27::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p3::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p30::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p31::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p32::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p33::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p34::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p35::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p36::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p37::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p38::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p4::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p5::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p6::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p7::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p8::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p9::::::

History

31 Oct 2025, 12:49

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443 -~~	() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443 - US Government Resource

21 Oct 2025, 23:16

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443 -

21 Oct 2025, 20:20

Type	Values Removed	Values Added
References	~~{'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}~~

21 Oct 2025, 19:20

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443 -

21 May 2025, 18:43

Type	Values Removed	Values Added
References	~~() https://www.welivesecurity.com/en/eset-research/operation-roundpress/ -~~	() https://www.welivesecurity.com/en/eset-research/operation-roundpress/ - Press/Media Coverage

19 May 2025, 18:15

Type	Values Removed	Values Added
References		() https://www.welivesecurity.com/en/eset-research/operation-roundpress/ -

14 Aug 2024, 13:18

Type	Values Removed	Values Added
CPE	cpe:2.3:a:zimbra:collaboration:10.0.0:::::::*	cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p27:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p19:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p13:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p10:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p30:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p23:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p31:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p33:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p20:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p14:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p15:::::: cpe:2.3:a:zimbra:collaboration:::::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p1:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p5:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p32:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p25:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p11:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p6:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p2:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p38:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p35:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p36:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p24:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p9:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p0:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p8:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p12:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p16:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p26:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p34:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p7:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p3:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p37:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p4:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p21::::::

13 Aug 2024, 17:20

Type	Values Removed	Values Added
First Time		Zimbra collaboration Zimbra
References	~~() https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes -~~	() https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes - Release Notes
References	~~() https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes -~~	() https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes - Release Notes
CWE		CWE-79
CPE		cpe:2.3:a:zimbra:collaboration:10.0.0:::::::* cpe:2.3:a:zimbra:collaboration:9.0.0:-::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
Summary		(es) Se descubrió un problema en Zimbra Collaboration (ZCS) 9.0 y 10.0. Existe una vulnerabilidad de cross site scripting (XSS) en la función CalendarInvite de la interfaz de usuario clásica del correo web de Zimbra, debido a una validación de entrada incorrecta en el manejo del encabezado del calendario. Un atacante puede aprovechar esto a través de un mensaje de correo electrónico que contenga un encabezado de calendario manipulado con un payload XSS incorporado. Cuando una víctima ve este mensaje en la interfaz clásica del correo web de Zimbra, el payload se ejecuta en el contexto de la sesión de la víctima, lo que potencialmente conduce a la ejecución de código JavaScript arbitrario.

12 Aug 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-12 15:15

Updated : 2025-10-31 12:49

NVD link : CVE-2024-27443

Mitre link : CVE-2024-27443

CVE.ORG link : CVE-2024-27443

JSON object : View

Products Affected

zimbra

collaboration

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10