CISA KEV 정보
| 취약점명 | Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability |
|---|---|
| 설명 | Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability in the Calendar feature that allows an attacker to execute arbitrary code. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Known |
| CWE | CWE-79 | CWE-116 |
| 등록일 (KEV) | 2022-02-25 |
| 조치 기한 | 2022-03-11 |
| 추가 참고 | https://nvd.nist.gov/vuln/detail/CVE-2022-24682 |
NVD 상세 정보
CVSS v3.1: 6.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCVSS v2.0: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N설명: An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
CWE: CWE-116 | CWE-116
참조
- https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/ [Vendor Advisory]
- https://wiki.zimbra.com/wiki/Security_Center [Vendor Advisory]
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30 [Release Notes, Vendor Advisory]
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories [Vendor Advisory]
- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ [Exploit, Third Party Advisory]
- https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/ [Vendor Advisory]
- https://wiki.zimbra.com/wiki/Security_Center [Vendor Advisory]
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30 [Release Notes, Vendor Advisory]
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories [Vendor Advisory]
- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ [Exploit, Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24682 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.