CVE-2025-27915

CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1, specifically in the Classic Web Client. The flaw arises from insufficient sanitization of HTML content within ICS files attached to or embedded in emails. A malicious ICS entry can include JavaScript that executes via an ontoggle event within a <details> tag when the email is viewed. The vulnerability has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

An attacker with low privileges, such as a ZCS user account, can exploit this by sending an email containing the malicious ICS to a target victim. When the victim opens and views the email in the Classic Web Client, the embedded JavaScript executes in the context of the victim's authenticated browser session. This enables arbitrary code execution, allowing the attacker to perform actions like configuring email filters to redirect messages to an attacker-controlled address, leading to unauthorized account actions, email redirection, and potential data exfiltration.

Zimbra advisories document fixes in patches for affected versions: ZCS 10.0.13, 10.1.5, and 9.0.0 Patch 44 (P44). Administrators should apply these updates to mitigate the issue, as detailed in the Zimbra Security Center and release notes.

The vulnerability has seen real-world exploitation as a zero-day ICS attack, as reported in external analysis.