XSS Vulnerability in CalendarInvite Feature of Zimbra Webmail Classic User Interface
CVE-2024-27443
Key Information:
- Vendor
Zimbra
- Status
- Vendor
- CVE Published:
- 12 August 2024
Badges
What is CVE-2024-27443?
A Cross-Site Scripting (XSS) vulnerability has been identified in the CalendarInvite feature of the classic Zimbra webmail interface. This vulnerability arises from inadequate input validation in handling calendar headers. Attackers can exploit this flaw by crafting a malicious email containing a calendar header with an embedded XSS payload. When users access this email in the Zimbra webmail interface, the payload executes within the victim's session, potentially allowing attackers to run arbitrary JavaScript code in the context of the user's session.
CISA has reported CVE-2024-27443
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-27443 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.