Back to KEVs

CVE-2025-27915

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the...

Basic Information

CVE State
PUBLISHED
Reserved Date
March 10, 2025
Published Date
March 12, 2025
Last Updated
February 26, 2026
Vendor
n/a
Product
n/a
Description
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Tags
cisa nuclei_scanner

CVSS Scores

CVSS v3.1

5.4 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:41:51 UTC) Source

References

https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:41:51 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-27915.yaml 2026-06-01 15:34:41 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei