CVE-2025-27915MEDIUM 5.4CISA KEVEPSS p89.8%

CVE-2025-27915Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

Synacor / Zimbra Collaboration Suite (ZCS)

Description

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Scoring

CVSS 3.15.4 (MEDIUM)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS4.24% probability of exploitation · percentile 89.8% · 2026-06-18T12:00:27Z
Published2025-03-12
Last modified2025-11-04

CISA KEV entry

Added to KEV: 2025-10-07

Underlying weaknesses· 1

CWE-79

References

  1. https://wiki.zimbra.com/wiki/Security_Center
  2. https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes
  3. https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes
  4. https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes
  5. https://strikeready.com/blog/0day-ics-attack-in-the-wild/
  6. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

(incoming)1

TypeTargetConfidenceTier
KEVEntrySynacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerabilitykev-cve-2025-279150%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE
Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability
CVE
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
CVE
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
CVE
Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
CVE
Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.