216.73.217.22

CVE-2025-27915

· Published 12/03/2025 15:15 · Modified 12/03/2025 16:15

Labels: CVE-2025-27915 2025-03-12CVE-2025-27915CWE-79[email protected]

Essential information

Published
12/03/2025 15:15
Modified
12/03/2025 16:15
Author
Creator
CVSS
5.4 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS metrics

Description

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

NVD status

Status
Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
zimbra / zimbra collaboration cpe:2.3:a:zimbra:zimbra_collaboration:*:*:*:*:*:*:*:*

References

Related entities

Attack reports, intrusion sets, malwares, attack patterns and indicators linked to this vulnerability.

Attack reports (1)