Lucene search
K

Zimbra - Cross-Site Scripting via ICS Files

🗓️ 10 Jul 2026 03:01:38Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 14 Views

Detects Zimbra CVE 2025 27915 stored XSS in ICS attachments affecting the Classic Web Client.

Related
Refs
Code
id: CVE-2025-27915

info:
  name: Zimbra - Cross-Site Scripting via ICS Files
  author: Snbig,EhsanCreator,eliotworkspac-max
  severity: medium
  description: |
    Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.
  impact: |
    Authenticated users viewing malicious ICS files can have JavaScript executed in their browser context through stored XSS, potentially leading to session hijacking and data exfiltration.
  remediation: |
    Upgrade to Zimbra Collaboration Suite version 9.0.1, 10.0.13, or 10.1.5 or later that properly sanitizes HTML content in ICS files.
  reference:
    - https://wiki.zimbra.com/wiki/Security_Center
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://nvd.nist.gov/vuln/detail/CVE-2025-27915
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2025-27915
    cwe-id: CWE-79
    epss-score: 0.04241
    epss-percentile: 0.89856
  metadata:
    max-request: 1
    verified: true
    vendor: zimbra
    product: collaboration
    fofa-query: title="Zimbra Collaboration Suite"
    shodan-query: http.title:"Zimbra Collaboration Suite"
  tags: cve,cve2025,zimbra,xss,ics,kev,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/js/zimbraMail/share/model/ZmSettings.js"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Zimbra Collaboration Suite"

      - type: word
        part: header
        words:
          - "application/x-javascript"

      - type: dsl
        dsl:
          - compare_versions(version, '9.0.0')
          - compare_versions(version, '>= 10.0.0', '< 10.0.13')
          - compare_versions(version, '>= 10.1.0', '< 10.1.5')
        condition: or

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - CLIENT_VERSION\",\s+{type:ZmSetting\.T_CONFIG, defaultValue:"([0-9.]+)_([A-Z_0-9]+)"\}
# digest: 490a00463044022021dec358f76b4c63c9e44932ad6d74ed49e20af7ed8f136e8be984b841302a660220199a9c698f9fc1ed27b69ebadec970ccda007f75d0154beb76654f3b8093604c:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.15.4
EPSS0.04241
SSVC
14