Skip to main content

Collaboration CVE-2024-27443

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-08-12 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Added to CISA KEV
Jul 14, 2026 - 04:22 CISA
CVE Published
Aug 12, 2024 - 15:15 nvd
MEDIUM 6.1

DescriptionNVD

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

AnalysisAI

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code. Affected products include: Zimbra Collaboration.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2022-37393 HIGH POC
7.8 Aug 16

Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. Rat

CVE-2021-35209 CRITICAL POC
9.8 Jul 02

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch

CVE-2022-41347 HIGH POC
7.8 Sep 26

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). Rated high severity (CVSS 7.8), this

CVE-2023-29382 CRITICAL
9.8 Jul 06

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preaut

CVE-2023-29381 CRITICAL
9.8 Jul 06

An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sen

CVE-2022-32294 CRITICAL
9.8 Jul 11

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove

CVE-2021-35208 MEDIUM POC
5.4 Jul 02

An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before

CVE-2024-45518 HIGH
8.8 Oct 22

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41,

CVE-2023-34193 HIGH
8.8 Jul 06

File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obt

CVE-2024-27442 HIGH
7.8 Aug 12

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-24032 HIGH
7.8 Jun 15

In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instan

CVE-2024-33535 HIGH
7.5 Aug 12

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. Rated high severity (CVSS 7.5), this vulnerability i

Share

CVE-2024-27443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy