CVE-2022-24682
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- February 09, 2022
- Published Date
- February 09, 2022
- Last Updated
- January 29, 2025
- Vendor
- n/a
- Product
- n/a
- Description
- An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
CVSS Scores
SSVC Information
- Exploitation
- active
- Technical Impact
- partial
References
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://wiki.zimbra.com/wiki/Security_Center
https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2022-02-25 00:00:00 UTC |