CVE-2025-27915 is a stored cross-site scripting (XSS) vulnerability identified in the Classic Web Client of Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1. The root cause is insufficient sanitization of HTML content embedded within ICS calendar files attached to emails. Specifically, the vulnerability exploits the ontoggle event handler inside a <details> HTML tag, which can contain malicious JavaScript code. When a user views an email containing a crafted ICS file with this malicious payload, the JavaScript executes within the context of the user's session. This execution allows attackers to perform unauthorized actions such as modifying email filters to redirect incoming emails to attacker-controlled addresses, facilitating data exfiltration or interception of sensitive communications. The vulnerability requires the victim to open the malicious email (user interaction) and the attacker must have at least limited privileges (PR:L) to send such emails. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, user interaction needed, scope changed, and low impact on confidentiality and integrity with no availability impact. No public exploits have been reported yet, and no patches are currently linked, indicating a need for proactive mitigation. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common XSS category.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of email communications. Successful exploitation can lead to unauthorized email redirection, enabling attackers to intercept sensitive information or conduct further phishing or social engineering attacks. Organizations relying on Zimbra Collaboration Suite for email and calendaring services may experience data leakage or compromise of user accounts. The scope includes all users of the Classic Web Client who open malicious emails with crafted ICS attachments. Given the widespread use of Zimbra in government, education, and enterprise sectors across Europe, the impact could affect critical communications and data privacy compliance requirements such as GDPR. While availability is not impacted, the breach of confidentiality and integrity can lead to reputational damage, regulatory penalties, and operational disruptions. The requirement for user interaction and some privilege level reduces the likelihood of mass exploitation but targeted attacks against high-value individuals or departments remain a concern.

1. Apply patches or updates from Zimbra as soon as they become available to address this vulnerability. 2. Implement strict email filtering rules to block or quarantine emails containing ICS attachments from untrusted sources. 3. Configure the Classic Web Client or mail gateway to sanitize or disable rendering of HTML content within ICS files, if possible. 4. Educate users about the risks of opening unexpected calendar invitations or attachments, emphasizing caution with ICS files. 5. Monitor email filter rules and account settings for unauthorized changes, enabling rapid detection and response. 6. Employ Content Security Policy (CSP) headers or other browser-based mitigations to limit script execution in webmail clients. 7. Consider migrating users to updated or alternative clients that do not exhibit this vulnerability. 8. Conduct regular security audits and penetration testing focused on email and calendaring systems to identify similar weaknesses.