CVE-2022-27926

CVSS 6.1 MEDIUMEPSS 17.3%● KEVCWE-79

In short

A flaw in Zimbra Collaboration 9.0 allows attackers to inject malicious scripts into web pages through URL parameters, which then execute in users' browsers. This can steal sensitive data or hijack user sessions without any login required.

Technical detail

Reflected XSS vulnerability in /public/launchNewWindow.jsp component exploitable via unsanitized request parameters. Unauthenticated attackers can craft malicious URLs to inject arbitrary JavaScript that executes in victims' browsers, compromising session integrity and enabling credential theft.

Summary generated and translated by AI from the official description.

A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24 https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27926