CVE-2024-27443

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration (ZCS) versions 9.0 through 10.0

Description A Cross-Site Scripting (XSS) issue exists in the CalendarInvite feature of the Zimbra webmail classic user interface due to improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Recommendations For Zimbra Collaboration (ZCS) versions 9.0 through 10.0, consider disabling the CalendarInvite feature until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the Zimbra webmail classic user interface to minimize the risk of exploitation. Avoid viewing email messages with crafted calendar headers in the Zimbra webmail classic interface until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.