CVE-2022-24682

CVSS 6.1 MEDIUMEPSS 31.1%● KEVCWE-116

In short

A vulnerability in Zimbra's Calendar feature allows attackers to inject malicious JavaScript code through HTML in calendar elements. This can lead to unauthorized actions being performed in a user's calendar or account when they view the affected content.

Technical detail

The vulnerability exists in the Calendar feature where user-supplied input in element attributes is not properly escaped before being rendered in the DOM, resulting in HTML/JavaScript injection (CWE-116). An attacker can craft malicious calendar entries or events containing JavaScript payloads that execute in the context of a victim's browser session, potentially leading to session hijacking, account compromise, or unauthorized calendar modifications.

Summary generated and translated by AI from the official description.

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24682 https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/