VULNERABILITY
Zimbra Collaboration: CVE-2025-27915: This patch fixes a critical security vulnerability.
Email Address is Required
Zimbra Collaboration: CVE-2025-27915: This patch fixes a critical security vulnerability.
Description
An issue was discovered in zimbra collaboration (zcs) 9.0 and 10.0 and 10.1. a stored cross-site scripting (xss) vulnerability exists in the classic web client due to insufficient sanitization of html content in ics files. when a user views an e-mail message containing a malicious ics entry, its embedded javascript executes via an ontoggle event inside a <details> tag. this allows an attacker to run arbitrary javascript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. as a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.
Solution(s)
- zimbra-collaboration-upgrade-latest
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center
