id: CVE-2025-27915

info:
  name: Zimbra - Cross-Site Scripting via ICS Files
  author: Snbig,EhsanCreator,eliotworkspac-max
  severity: medium
  description: |
    Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event inside a details tag, allowing attackers to perform unauthorized actions like email redirection and data exfiltration.
  impact: |
    Authenticated users viewing malicious ICS files can have JavaScript executed in their browser context through stored XSS, potentially leading to session hijacking and data exfiltration.
  remediation: |
    Upgrade to Zimbra Collaboration Suite version 9.0.1, 10.0.13, or 10.1.5 or later that properly sanitizes HTML content in ICS files.
  reference:
    - https://wiki.zimbra.com/wiki/Security_Center
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://nvd.nist.gov/vuln/detail/CVE-2025-27915
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2025-27915
    cwe-id: CWE-79
    epss-score: 0.26053
    epss-percentile: 0.96378
  metadata:
    max-request: 1
    verified: true
    vendor: zimbra
    product: collaboration
    fofa-query: title="Zimbra Collaboration Suite"
    shodan-query: http.title:"Zimbra Collaboration Suite"
  tags: cve,cve2025,zimbra,xss,ics,kev,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/js/zimbraMail/share/model/ZmSettings.js"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Zimbra Collaboration Suite"

      - type: word
        part: header
        words:
          - "application/x-javascript"

      - type: dsl
        dsl:
          - compare_versions(version, '9.0.0')
          - compare_versions(version, '>= 10.0.0', '< 10.0.13')
          - compare_versions(version, '>= 10.1.0', '< 10.1.5')
        condition: or

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - CLIENT_VERSION\",\s+{type:ZmSetting\.T_CONFIG, defaultValue:"([0-9.]+)_([A-Z_0-9]+)"\}
# digest: 490a0046304402206796deef11b51945bc421f3e12572ef98bd85109170c0bc48cfefd30355626ee02202b42eb21ef81662a7dfd3862fc3999a3384bfe9fefca885d696c7023d3d5e6c6:922c64590222798bb761d5b6d8e72950