CVE-2025-27915: Zimbra - Cross-Site Scripting via ICS Files

日期: 2025-12-02 | 影响软件: Zimbra | POC: 已公开

漏洞描述

Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.

PoC代码[已公开]

id: CVE-2025-27915

info:
  name: Zimbra - Cross-Site Scripting via ICS Files
  author: Snbig,EhsanCreator,eliotworkspac-max
  severity: medium
  description: |
    Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.
  impact: |
    Authenticated users viewing malicious ICS files can have JavaScript executed in their browser context through stored XSS, potentially leading to session hijacking and data exfiltration.
  remediation: |
    Upgrade to Zimbra Collaboration Suite version 9.0.1, 10.0.13, or 10.1.5 or later that properly sanitizes HTML content in ICS files.
  reference:
    - https://wiki.zimbra.com/wiki/Security_Center
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://nvd.nist.gov/vuln/detail/CVE-2025-27915
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2025-27915
    cwe-id: CWE-79
    epss-score: 0.29359
    epss-percentile: 0.96464
  metadata:
    max-request: 1
    verified: true
    vendor: zimbra
    product: collaboration
    fofa-query: title="Zimbra Collaboration Suite"
    shodan-query: http.title:"Zimbra Collaboration Suite"
  tags: cve,cve2025,zimbra,xss,ics,kev,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/js/zimbraMail/share/model/ZmSettings.js"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Zimbra Collaboration Suite"

      - type: word
        part: header
        words:
          - "application/x-javascript"

      - type: dsl
        dsl:
          - compare_versions(version, '9.0.0')
          - compare_versions(version, '>= 10.0.0', '< 10.0.13')
          - compare_versions(version, '>= 10.1.0', '< 10.1.5')
        condition: or

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - CLIENT_VERSION\",\s+{type:ZmSetting\.T_CONFIG, defaultValue:"([0-9.]+)_([A-Z_0-9]+)"\}
# digest: 4b0a00483046022100d0a8e0408f7db34ebdfa8fd26106aff0dcc7f9a23f21cb9b12dd26e66fe79a06022100a3d8bc56b72e5032a2ed76486c4f7f3f8909943fcad325132914dd69c4e8f543:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-27915.yaml

相关漏洞推荐