CVE-2022-24682

critical-risk
Published 2022-02-09

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.

Do I need to act?

!
88.0% chance of exploitation in next 30 days
EPSS score — higher than 12% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Synacor

References (11)

Vendor Advisory https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vuln...
Vendor Advisory https://wiki.zimbra.com/wiki/Security_Center
Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30
Vendor Advisory https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Exploit https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitatio...
Vendor Advisory https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vuln...
Vendor Advisory https://wiki.zimbra.com/wiki/Security_Center
Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30
Vendor Advisory https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Exploit https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitatio...
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-...
73
/ 100
critical-risk
Severity 23/34 · High
Exploitability 27/34 · High
Exposure 23/34 · High