← Volver a CVEs
CVE-2022-24682
MEDIUMCISA KEV6.1
Descripcion
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
Detalles CVE
Puntuacion CVSS v3.16.1
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado2/9/2022
Ultima modificacion11/4/2025
Fuentekev
Avistamientos honeypot0
CISA KEV
VendedorSynacor
ProductoZimbra Collaborate Suite (ZCS)
Nombre vulnerabilidadSynacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability
Fecha inclusion KEV2022-02-25
Fecha limite remediacion2022-03-11
Uso en ransomwareKnown
Productos afectados
synacor:zimbra_collaboration_suite
Debilidades (CWE)
CWE-116CWE-116
Referencias
https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/(cve@mitre.org)
https://wiki.zimbra.com/wiki/Security_Center(cve@mitre.org)
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30(cve@mitre.org)
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories(cve@mitre.org)
https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/(cve@mitre.org)
https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/(af854a3a-2127-422b-91ae-364da2661108)
https://wiki.zimbra.com/wiki/Security_Center(af854a3a-2127-422b-91ae-364da2661108)
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30(af854a3a-2127-422b-91ae-364da2661108)
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories(af854a3a-2127-422b-91ae-364da2661108)
https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24682(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.