Vulnerability Database

309,237

Total vulnerabilities in the database

CVE-2025-27915

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Published: Mar 12, 2025
Updated: Nov 5, 2025
CVE: CVE-2025-27915
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
synacor / zimbra_collaboration_suite	10.0.0	10.0.13
synacor / zimbra_collaboration_suite	10.1.0	10.1.5
synacor / zimbra_collaboration_suite	9.0.0	9.0.0.x
synacor / zimbra_collaboration_suite	9.0.0-p1	9.0.0-p1.x
synacor / zimbra_collaboration_suite	9.0.0-p10	9.0.0-p10.x
synacor / zimbra_collaboration_suite	9.0.0-p11	9.0.0-p11.x
synacor / zimbra_collaboration_suite	9.0.0-p12	9.0.0-p12.x
synacor / zimbra_collaboration_suite	9.0.0-p13	9.0.0-p13.x
synacor / zimbra_collaboration_suite	9.0.0-p14	9.0.0-p14.x
synacor / zimbra_collaboration_suite	9.0.0-p15	9.0.0-p15.x
synacor / zimbra_collaboration_suite	9.0.0-p16	9.0.0-p16.x
synacor / zimbra_collaboration_suite	9.0.0-p17	9.0.0-p17.x
synacor / zimbra_collaboration_suite	9.0.0-p18	9.0.0-p18.x
synacor / zimbra_collaboration_suite	9.0.0-p19	9.0.0-p19.x
synacor / zimbra_collaboration_suite	9.0.0-p2	9.0.0-p2.x
synacor / zimbra_collaboration_suite	9.0.0-p20	9.0.0-p20.x
synacor / zimbra_collaboration_suite	9.0.0-p21	9.0.0-p21.x
synacor / zimbra_collaboration_suite	9.0.0-p22	9.0.0-p22.x
synacor / zimbra_collaboration_suite	9.0.0-p23	9.0.0-p23.x
synacor / zimbra_collaboration_suite	9.0.0-p24	9.0.0-p24.x
synacor / zimbra_collaboration_suite	9.0.0-p24.1	9.0.0-p24.1.x
synacor / zimbra_collaboration_suite	9.0.0-p25	9.0.0-p25.x
synacor / zimbra_collaboration_suite	9.0.0-p26	9.0.0-p26.x
synacor / zimbra_collaboration_suite	9.0.0-p27	9.0.0-p27.x
synacor / zimbra_collaboration_suite	9.0.0-p28	9.0.0-p28.x
synacor / zimbra_collaboration_suite	9.0.0-p29	9.0.0-p29.x
synacor / zimbra_collaboration_suite	9.0.0-p3	9.0.0-p3.x
synacor / zimbra_collaboration_suite	9.0.0-p30	9.0.0-p30.x
synacor / zimbra_collaboration_suite	9.0.0-p31	9.0.0-p31.x
synacor / zimbra_collaboration_suite	9.0.0-p32	9.0.0-p32.x
synacor / zimbra_collaboration_suite	9.0.0-p33	9.0.0-p33.x
synacor / zimbra_collaboration_suite	9.0.0-p34	9.0.0-p34.x
synacor / zimbra_collaboration_suite	9.0.0-p35	9.0.0-p35.x
synacor / zimbra_collaboration_suite	9.0.0-p36	9.0.0-p36.x
synacor / zimbra_collaboration_suite	9.0.0-p37	9.0.0-p37.x
synacor / zimbra_collaboration_suite	9.0.0-p38	9.0.0-p38.x
synacor / zimbra_collaboration_suite	9.0.0-p39	9.0.0-p39.x
synacor / zimbra_collaboration_suite	9.0.0-p4	9.0.0-p4.x
synacor / zimbra_collaboration_suite	9.0.0-p40	9.0.0-p40.x
synacor / zimbra_collaboration_suite	9.0.0-p41	9.0.0-p41.x
synacor / zimbra_collaboration_suite	9.0.0-p42	9.0.0-p42.x
synacor / zimbra_collaboration_suite	9.0.0-p43	9.0.0-p43.x
synacor / zimbra_collaboration_suite	9.0.0-p5	9.0.0-p5.x
synacor / zimbra_collaboration_suite	9.0.0-p6	9.0.0-p6.x
synacor / zimbra_collaboration_suite	9.0.0-p7	9.0.0-p7.x
synacor / zimbra_collaboration_suite	9.0.0-p8	9.0.0-p8.x
synacor / zimbra_collaboration_suite	9.0.0-p9	9.0.0-p9.x

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo