CVE-2024-27443: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Zimbra Collaboration (ZCS) versions 9.0 and 10.0, specifically affecting the CalendarInvite feature in the Zimbra webmail classic user interface. The vulnerability was disclosed in August 2024 and assigned identifier CVE-2024-27443 (NVD).

The vulnerability stems from improper input validation in the handling of calendar headers within the CalendarInvite feature. The CVSS v3.1 base score is 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

When exploited, this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's session. The attack is triggered when a victim views a specially crafted email message containing a malicious calendar header in the Zimbra webmail classic interface (NVD).

The vulnerability has been patched in Zimbra Collaboration version 10.0.7 and version 9.0.0 Patch 39. Users are advised to upgrade to these versions to protect against this vulnerability (Zimbra Release Notes, Zimbra Patch Notes).