CVE-2022-24682: Zimbra Webmail Cross-Site Scripting Vulnerability
First published: Wed Feb 09 2022(Updated: )
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zimbra Collaboration | >=8.8<8.8.15 | |
| Zimbra Collaboration | =8.8.15 | |
| Zimbra Collaboration | =8.8.15-p1 | |
| Zimbra Collaboration | =8.8.15-p10 | |
| Zimbra Collaboration | =8.8.15-p11 | |
| Zimbra Collaboration | =8.8.15-p12 | |
| Zimbra Collaboration | =8.8.15-p13 | |
| Zimbra Collaboration | =8.8.15-p14 | |
| Zimbra Collaboration | =8.8.15-p15 | |
| Zimbra Collaboration | =8.8.15-p16 | |
| Zimbra Collaboration | =8.8.15-p17 | |
| Zimbra Collaboration | =8.8.15-p18 | |
| Zimbra Collaboration | =8.8.15-p19 | |
| Zimbra Collaboration | =8.8.15-p2 | |
| Zimbra Collaboration | =8.8.15-p20 | |
| Zimbra Collaboration | =8.8.15-p21 | |
| Zimbra Collaboration | =8.8.15-p22 | |
| Zimbra Collaboration | =8.8.15-p23 | |
| Zimbra Collaboration | =8.8.15-p24 | |
| Zimbra Collaboration | =8.8.15-p25 | |
| Zimbra Collaboration | =8.8.15-p26 | |
| Zimbra Collaboration | =8.8.15-p27 | |
| Zimbra Collaboration | =8.8.15-p28 | |
| Zimbra Collaboration | =8.8.15-p29 | |
| Zimbra Collaboration | =8.8.15-p3 | |
| Zimbra Collaboration | =8.8.15-p4 | |
| Zimbra Collaboration | =8.8.15-p5 | |
| Zimbra Collaboration | =8.8.15-p6 | |
| Zimbra Collaboration | =8.8.15-p7 | |
| Zimbra Collaboration | =8.8.15-p8 | |
| Zimbra Collaboration | =8.8.15-p9 | |
| Zimbra Collaboration email server | =8.8.15 Patch 41 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
Frequently Asked Questions
What is CVE-2022-24682?
CVE-2022-24682 is a Cross-Site Scripting vulnerability in Zimbra Webmail.
How does CVE-2022-24682 affect Zimbra Collaboration Suite?
CVE-2022-24682 affects Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1).
How can an attacker exploit CVE-2022-24682?
An attacker can place HTML containing executable JavaScript inside element attributes to exploit CVE-2022-24682.
What is the severity of CVE-2022-24682?
CVE-2022-24682 has a severity level of 6.1 (Medium).
How can I fix CVE-2022-24682?
To fix CVE-2022-24682, update Zimbra Collaboration Suite to version 8.8.15 patch 30 (update 1) or later.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- zeroday/true
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- exploited/true
- ransomware/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- collector/nvd-api
- collector/nvd-index
- vendor/zimbra
- canonical/zimbra collaboration email server
- version/zimbra collaboration email server/8.8.15 patch 41
- canonical/zimbra webmail
- canonical/zimbra collaboration
- version/zimbra collaboration/8.8
- version/zimbra collaboration/8.8.15
- version/zimbra collaboration/8.8.15-p1
- version/zimbra collaboration/8.8.15-p10
- version/zimbra collaboration/8.8.15-p11
- version/zimbra collaboration/8.8.15-p12
- version/zimbra collaboration/8.8.15-p13
- version/zimbra collaboration/8.8.15-p14
- version/zimbra collaboration/8.8.15-p15
- version/zimbra collaboration/8.8.15-p16
- version/zimbra collaboration/8.8.15-p17
- version/zimbra collaboration/8.8.15-p18
- version/zimbra collaboration/8.8.15-p19
- version/zimbra collaboration/8.8.15-p2
- version/zimbra collaboration/8.8.15-p20
- version/zimbra collaboration/8.8.15-p21
- version/zimbra collaboration/8.8.15-p22
- version/zimbra collaboration/8.8.15-p23
- version/zimbra collaboration/8.8.15-p24
- version/zimbra collaboration/8.8.15-p25
- version/zimbra collaboration/8.8.15-p26
- version/zimbra collaboration/8.8.15-p27
- version/zimbra collaboration/8.8.15-p28
- version/zimbra collaboration/8.8.15-p29
- version/zimbra collaboration/8.8.15-p3
- version/zimbra collaboration/8.8.15-p4
- version/zimbra collaboration/8.8.15-p5
- version/zimbra collaboration/8.8.15-p6
- version/zimbra collaboration/8.8.15-p7
- version/zimbra collaboration/8.8.15-p8
- version/zimbra collaboration/8.8.15-p9