CVE-2025-27915: Zimbra - Cross-Site Scripting via ICS Files

日期: 2025-12-02 | 影响软件: Zimbra | POC: 已公开

漏洞描述

Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.

PoC代码[已公开]

id: CVE-2025-27915

info:
  name: Zimbra - Cross-Site Scripting via ICS Files
  author: Snbig,EhsanCreator,eliotworkspac-max
  severity: medium
  description: |
    Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.
  reference:
    - https://wiki.zimbra.com/wiki/Security_Center
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://nvd.nist.gov/vuln/detail/CVE-2025-27915
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2025-27915
    cwe-id: CWE-79
    epss-score: 0.30622
    epss-percentile: 0.96533
  metadata:
    max-request: 1
    verified: true
    vendor: zimbra
    product: collaboration
    fofa-query: title="Zimbra Collaboration Suite"
    shodan-query: http.title:"Zimbra Collaboration Suite"
  tags: cve,cve2025,zimbra,xss,ics,kev,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/js/zimbraMail/share/model/ZmSettings.js"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Zimbra Collaboration Suite"

      - type: word
        part: header
        words:
          - "application/x-javascript"

      - type: dsl
        dsl:
          - compare_versions(version, '9.0.0')
          - compare_versions(version, '>= 10.0.0', '< 10.0.13')
          - compare_versions(version, '>= 10.1.0', '< 10.1.5')
        condition: or

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - CLIENT_VERSION\",\s+{type:ZmSetting\.T_CONFIG, defaultValue:"([0-9.]+)_([A-Z_0-9]+)"\}
# digest: 4a0a00473045022100f6c7518d3dc672b68c238d9bb3ed673bd5cfe4f7c3fedeccdc367b05900d678e022046bd9aa29d6a720aa1f6c72503e7aba1768cf54478da16daebffbf9a2a70bdf9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-27915.yaml

相关漏洞推荐