CVE-2025-27915 — AI Deep Analysis Summary

🚨 **Essence**: Stored XSS in Zimbra Classic Web Client. 📉 **Consequences**: Malicious JS executes when viewing emails with ICS files. 💥 **Impact**: Unauthorized actions, data theft, session hijacking.

🛡️ **Root Cause**: Insufficient HTML sanitization in ICS files. 🧬 **Flaw**: The parser fails to strip dangerous tags/attributes. 📌 **CWE**: Not specified in data, but implies Input Validation failure.

🏢 **Affected**: Zimbra Collaboration Server (ZCS). 📦 **Versions**: 9.0, 10.0, and 10.1. 🖥️ **Component**: Classic Web Client specifically.

🕵️ **Attacker Actions**: Execute arbitrary JavaScript. 📧 **Impact**: Redirect emails, exfiltrate user data. 🔓 **Privileges**: User-level context (Stored XSS).

🔑 **Auth Required**: Yes, victim must view the malicious email. 📩 **Vector**: Email delivery with malicious ICS attachment. 🎯 **Threshold**: Medium (Social engineering needed).

🔍 **PoC Available**: Yes, via Nuclei templates. 🌐 **Link**: projectdiscovery/nuclei-templates. 🚫 **Wild Exploit**: Not confirmed, but detection is public.

🔎 **Check**: Scan for ZCS versions 9.0-10.1. 🛠️ **Tool**: Use Nuclei template for CVE-2025-27915. 📧 **Manual**: Check if Classic Client processes ICS HTML.

✅ **Fixed**: Yes, official patches released. 📅 **Refs**: Zimbra Wiki Security Fixes (9.0.0/P44, 10.0.13, 10.1.5). 🔄 **Action**: Update immediately.

🚧 **Workaround**: Disable Classic Web Client if possible. 🚫 **Filter**: Block ICS file attachments via gateway. 👁️ **Monitor**: Watch for unusual JS execution in client.

⚡ **Priority**: HIGH. 📅 **Published**: 2025-03-12. 🚨 **Urgency**: Stored XSS is critical for enterprise email. 🏃 **Action**: Patch NOW.