CVE-2022-24682

CVE-2022-24682 is a medium-severity vulnerability in Synacor Zimbra Collaboration Suite with a CVSS 3.x base score of 6.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-25). The underlying weakness is classified as CWE-116.

Key facts

Description

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.

CVE-2022-24682: Stored XSS in Zimbra Collaboration Suite Calendar

AI-generated analysis based on the vulnerability data on this page.

Summary

Zimbra Collaboration Suite 8.8.x before patch 30 contains a stored cross-site scripting vulnerability in the Calendar feature. An attacker can inject HTML containing executable JavaScript into element attributes, which the application fails to properly escape, leading to arbitrary markup injection. This vulnerability was exploited in the wild beginning December 2021 and is listed in CISA's Known Exploited Vulnerabilities catalog.

Background

Zimbra Collaboration Suite is a widely deployed email and collaboration platform used by enterprises, government agencies, and service providers. The Calendar module allows users to create, share, and manage events through a web interface. In late 2021, security researchers at Volexity identified active exploitation of a zero-day vulnerability in this component, later assigned CVE-2022-24682. The issue stemmed from how the Calendar application handled user-supplied content within certain HTML element attributes.

Root Cause

The vulnerability is classified under CWE-116: Improper Encoding or Escaping of Output. Specifically, the Calendar feature fails to sanitize or escape HTML content placed inside element attributes. When an attacker supplies markup containing executable JavaScript within these attributes, the application renders it unescaped into the document. This breaks the intended boundary between data and code, allowing injected scripts to execute in the context of the victim's browser session.

Impact

The National Vulnerability Database rates this flaw with a CVSS 3.1 score of 6.1 (Medium severity). The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N reflects that exploitation requires network access, low attack complexity, no privileges, but does require user interaction. The changed scope (S:C) indicates the vulnerable component impacts resources beyond its security scope. The confidentiality and integrity impacts are rated Low, with no availability impact. In practice, successful exploitation allows an attacker to execute JavaScript in a victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the Zimbra interface.

Exploitation Walkthrough

This section describes the attack flow from a defensive perspective to aid understanding and detection. No weaponized exploit code is provided.

An attacker crafts a calendar event or invitation containing malicious HTML with JavaScript payloads embedded within element attributes. When a victim views the calendar entry through the Zimbra web interface, the unsanitized markup is rendered directly into the page. The browser executes the injected script in the context of the authenticated user's session. Because the application trusts the rendered content, the script can access cookies, perform actions on behalf of the user, or redirect the victim to attacker-controlled infrastructure. This vulnerability was actively exploited in the wild beginning December 2021, with threat actors leveraging it as part of broader espionage campaigns.

Affected and Patched Versions

Affected products include Zimbra Collaboration Suite 8.8.x versions prior to 8.8.15 patch 30 (update 1). This encompasses all patch levels from the initial 8.8.15 release through patch 29. The vulnerability does not affect versions that have been updated to 8.8.15 patch 30 or later.

Remediation

Organizations should upgrade to Zimbra Collaboration Suite 8.8.15 patch 30 (update 1) or a later supported version as soon as possible. Zimbra released a hotfix on February 5, 2022. For environments where immediate patching is not feasible, consider the following compensating controls:

  • Restrict external access to the Zimbra web interface to trusted networks or VPN-only connectivity.
  • Implement Content Security Policy (CSP) headers to mitigate the impact of injected scripts.
  • Enable multi-factor authentication to reduce the risk of session hijacking if exploitation occurs.
  • Monitor for suspicious calendar invites from untrusted sources.

Detection

Security teams can detect potential exploitation through several methods:

  • Monitor web proxy and WAF logs for calendar-related requests containing HTML with embedded JavaScript in element attributes.
  • Review Zimbra access logs for anomalous patterns following calendar event creation or viewing.
  • Deploy endpoint detection and response (EDR) solutions to identify browser processes spawning unexpected child processes or making suspicious outbound connections after Zimbra usage.
  • Look for unauthorized administrative actions or email forwarding rules created shortly after calendar events are viewed.

Assessment

With an EPSS score of 0.3106 and a percentile ranking of 98.046, this vulnerability sits in the highest tier of exploitation probability. Its inclusion in CISA's Known Exploited Vulnerabilities catalog on February 25, 2022, and confirmation of in-the-wild exploitation since December 2021 underscore its real-world threat. The relatively accessible attack vector—network-based, low complexity, no privileges required—combined with active exploitation by advanced threat actors makes this a high-priority patching target despite its Medium CVSS base score.

Key lessons from this case include: (1) client-side input sanitization alone is insufficient; server-side output encoding must be applied consistently, especially for rich-content features like calendars, and (2) CVSS base scores do not always capture active exploitation context—security teams should weight EPSS and KEV status heavily when prioritizing patch queues.

References

Frequently asked questions

What is CVE-2022-24682?
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
How severe is CVE-2022-24682?
CVE-2022-24682 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2022-24682 being actively exploited?
Yes. CVE-2022-24682 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-24682?
CVE-2022-24682 primarily affects Synacor Zimbra Collaboration Suite. In total, 31 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-24682?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-24682 have an EU (EUVD) identifier?
Yes. CVE-2022-24682 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-29554. It is also flagged as exploited in the EUVD (since 2022-02-25).
When was CVE-2022-24682 published?
CVE-2022-24682 was published on 2022-02-09 and last updated on 2026-06-17.

References

Affected products (31)

More vulnerabilities in Synacor Zimbra Collaboration Suite

All CVEs affecting Synacor Zimbra Collaboration Suite →

Other CWE-116 vulnerabilities

Browse all CWE-116 vulnerabilities →