CVE-2025-27915

Warnung

Exploit

EPSS 30.62%
Veröffentlicht 12.03.2025 00:00:00
Zuletzt bearbeitet 04.11.2025 16:45:11
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Synacor ≫ Zimbra Collaboration Suite Version >= 10.0.0 < 10.0.13

Synacor ≫ Zimbra Collaboration Suite Version >= 10.1.0 < 10.1.5

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Update-

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep1

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep10

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep11

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep12

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep13

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep14

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep15

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep16

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep17

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep18

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep19

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep2

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep20

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep21

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep22

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep23

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep24

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep24.1

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep25

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep26

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep27

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep28

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep29

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep3

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep30

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep31

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep32

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep33

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep34

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep35

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep36

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep37

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep38

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep39

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep4

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep40

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep41

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep42

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep43

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep5

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep6

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep7

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep8

Synacor ≫ Zimbra Collaboration Suite Version9.0.0 Updatep9

07.10.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

Schwachstelle

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	30.62%	0.965

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://wiki.zimbra.com/wiki/Security_Center

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes

Release Notes

https://strikeready.com/blog/0day-ics-attack-in-the-wild/

Third Party Advisory

Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-27915

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-27915

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27915

EUVD