CVE-2024-27443

MEDIUM 6.1

⚠️ CISA KEV

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Vendor	n/a
Product	n/a
Published	Aug 12, 2024
Last Updated	Oct 21, 2025

⚠️ Actively Exploited — Act Now

Get instant alerts for n/a n/a

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-27443.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

n/a / n/a

n/a

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wiki.zimbra.com: https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes wiki.zimbra.com: https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes welivesecurity.com: https://www.welivesecurity.com/en/eset-research/operation-roundpress/ cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443