Skip to main content
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Stored XSS in Zimbra Collaboration CalendarInvite classic webmail

IdentifiersCVE-2024-27443CWE-79· Improper Neutralization of Input…

CVE-2024-27443 is a cross-site scripting vulnerability in Zimbra Collaboration (ZCS) 9.0 and 10.0 affecting the CalendarInvite feature in the classic webmail user interface. The issue is caused by improper input validation and sanitization of calendar-related header data, specifically reported as handling of the calendar header and, in supporting reporting, the X-Zimbra-Calendar-Intended-For header. An attacker can send a crafted email message containing a malicious calendar header with embedded JavaScript payload. When the victim opens or views the message in the vulnerable Zimbra classic webmail interface, the payload executes in the context of the victim’s authenticated webmail session. Reporting on in-the-wild exploitation indicates the flaw has been used in zero-click-style webmail attacks where opening the email is sufficient to trigger execution of attacker-supplied JavaScript in the browser tab hosting Zimbra.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows execution of arbitrary JavaScript in the victim’s Zimbra webmail session. This can enable theft of session-context data and mailbox contents, including credentials, emails, contacts, login history, mail filters, and potentially two-factor-authentication-related data depending on browser and webmail state. Supporting reporting also indicates attackers can manipulate inbox contents, intercept or forward emails, and hijack email accounts for espionage or follow-on phishing. The code executes in the webmail page context rather than as native code on the underlying host, but it can still provide substantial access to the victim’s mailbox and associated account data.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, reduce exposure by restricting access to the classic webmail interface where feasible, limiting external access to Zimbra webmail, and monitoring for suspicious calendar-invite emails and anomalous mailbox rule changes. Use web application filtering and content inspection to detect or block malicious calendar headers where possible. Enforce MFA, monitor for credential reuse and unusual login activity, and consider isolating or disabling vulnerable webmail components exposed to untrusted email content. Because exploitation is triggered by viewing a crafted message, user awareness alone is insufficient as a primary control.

Remediation

Patch, then assume compromise.

Apply the vendor patch or upgrade to a fixed Zimbra Collaboration release for affected 9.0 and 10.0 deployments. Because this vulnerability has been reported as exploited in the wild, remediation should be prioritized for any internet-accessible or high-value webmail environment. After patching, review mailbox rules, forwarding settings, application passwords, session tokens, and account activity for signs of compromise, and rotate credentials and invalidate active sessions for potentially affected users.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ZimbraCollaborationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app
securityaffairsNews
Oct 10, 2025
Ukraine sees surge in AI-Powered cyberattacks by Russia-linked Threat Actors

A cross-site scripting (XSS) vulnerability in Roundcube and Zimbra webmail platforms, exploited for zero-click attacks by APT28.

Read more
the hacker newsNews
Oct 9, 2025
From Phishing to Malware: AI Becomes Russia's New Cyber Weapon in War on Ukraine

A cross-site scripting (XSS) vulnerability in Zimbra webmail that was reportedly weaponized to enable zero-click style attacks leading to credential and email data theft via injected malicious code and abuse of the webmail API.

Read more
cyberthroneNews
May 20, 2025
CISA Adds Six Vulnerabilities to KEV Catalog

A cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that can enable credential theft, inbox manipulation, and email interception.

Read more
dark readingNews
May 19, 2025
'Operation RoundPress' Targets Ukraine in XSS Webmail Attacks

A medium-severity cross-site scripting (XSS) vulnerability in Zimbra webmail software, allowing attackers to execute malicious JavaScript in the victim's browser session.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-27443
NVD
nvd.nist.gov/vuln/detail/CVE-2024-27443
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Release Notes
wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7
Release Notes
wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39
Press/Media Coverage
welivesecurity.com/en/eset-research/operation-roundpress
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443