About Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443) vulnerability

About Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443) vulnerability. Zimbra Collaboration is a collaboration software suite that includes a mail server and a web client. An attacker can send an email containing a specially crafted calendar header with an embedded payload. If the user opens the email in the classic Zimbra web interface, the malicious JavaScript code will be executed in the context of the web browser window.

The vulnerability was fixed on February 28, 2024. As with the MDaemon vulnerability, exploitation of this vulnerability in the wild was reported by ESET researchers (Operation “RoundPress”). They discovered attacks in 2024, after the patch had already been released. The malicious code allowed attackers to steal credentials, extract contacts and settings, and gain access to email messages.

ESET published information about the attacks and a PoC exploit only on May 15, 2025. 🤷‍♂️ The flaw was added to the CISA KEV catalog on May 19.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.