6.1
CVE-2024-27443
- EPSS 32.88%
- Veröffentlicht 12.08.2024 15:15:20
- Zuletzt bearbeitet 31.10.2025 12:49:00
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAn issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zimbra ≫ Collaboration Version >= 10.0.0 < 10.0.7
Zimbra ≫ Collaboration Version9.0.0 Update-
Zimbra ≫ Collaboration Version9.0.0 Updatep0
Zimbra ≫ Collaboration Version9.0.0 Updatep1
Zimbra ≫ Collaboration Version9.0.0 Updatep10
Zimbra ≫ Collaboration Version9.0.0 Updatep11
Zimbra ≫ Collaboration Version9.0.0 Updatep12
Zimbra ≫ Collaboration Version9.0.0 Updatep13
Zimbra ≫ Collaboration Version9.0.0 Updatep14
Zimbra ≫ Collaboration Version9.0.0 Updatep15
Zimbra ≫ Collaboration Version9.0.0 Updatep16
Zimbra ≫ Collaboration Version9.0.0 Updatep19
Zimbra ≫ Collaboration Version9.0.0 Updatep2
Zimbra ≫ Collaboration Version9.0.0 Updatep20
Zimbra ≫ Collaboration Version9.0.0 Updatep21
Zimbra ≫ Collaboration Version9.0.0 Updatep23
Zimbra ≫ Collaboration Version9.0.0 Updatep24
Zimbra ≫ Collaboration Version9.0.0 Updatep24.1
Zimbra ≫ Collaboration Version9.0.0 Updatep25
Zimbra ≫ Collaboration Version9.0.0 Updatep26
Zimbra ≫ Collaboration Version9.0.0 Updatep27
Zimbra ≫ Collaboration Version9.0.0 Updatep3
Zimbra ≫ Collaboration Version9.0.0 Updatep30
Zimbra ≫ Collaboration Version9.0.0 Updatep31
Zimbra ≫ Collaboration Version9.0.0 Updatep32
Zimbra ≫ Collaboration Version9.0.0 Updatep33
Zimbra ≫ Collaboration Version9.0.0 Updatep34
Zimbra ≫ Collaboration Version9.0.0 Updatep35
Zimbra ≫ Collaboration Version9.0.0 Updatep36
Zimbra ≫ Collaboration Version9.0.0 Updatep37
Zimbra ≫ Collaboration Version9.0.0 Updatep38
Zimbra ≫ Collaboration Version9.0.0 Updatep4
Zimbra ≫ Collaboration Version9.0.0 Updatep5
Zimbra ≫ Collaboration Version9.0.0 Updatep6
Zimbra ≫ Collaboration Version9.0.0 Updatep7
Zimbra ≫ Collaboration Version9.0.0 Updatep7.1
Zimbra ≫ Collaboration Version9.0.0 Updatep8
Zimbra ≫ Collaboration Version9.0.0 Updatep9
19.05.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
SchwachstelleZimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.
BeschreibungApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 32.88% | 0.967 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.