CVE-2022-24682
CVE-2022-24682 is a medium-severity vulnerability in Synacor Zimbra Collaboration Suite with a CVSS 3.x base score of 6.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-25). The underlying weakness is classified as CWE-116.
Key facts
- Severity: Medium (CVSS 3.x base score 6.1)
- CVSS v2: 4.3
- EPSS exploit prediction: 31% (98th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-02-25)
- EU (EUVD) id: EUVD-2022-29554
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-02-25)
- Weakness: CWE-116
- Affected product: Synacor Zimbra Collaboration Suite
- Published:
- Last modified:
Description
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
CVE-2022-24682: Stored XSS in Zimbra Collaboration Suite Calendar
AI-generated analysis based on the vulnerability data on this page.
Summary
Zimbra Collaboration Suite 8.8.x before patch 30 contains a stored cross-site scripting vulnerability in the Calendar feature. An attacker can inject HTML containing executable JavaScript into element attributes, which the application fails to properly escape, leading to arbitrary markup injection. This vulnerability was exploited in the wild beginning December 2021 and is listed in CISA's Known Exploited Vulnerabilities catalog.
Background
Zimbra Collaboration Suite is a widely deployed email and collaboration platform used by enterprises, government agencies, and service providers. The Calendar module allows users to create, share, and manage events through a web interface. In late 2021, security researchers at Volexity identified active exploitation of a zero-day vulnerability in this component, later assigned CVE-2022-24682. The issue stemmed from how the Calendar application handled user-supplied content within certain HTML element attributes.
Root Cause
The vulnerability is classified under CWE-116: Improper Encoding or Escaping of Output. Specifically, the Calendar feature fails to sanitize or escape HTML content placed inside element attributes. When an attacker supplies markup containing executable JavaScript within these attributes, the application renders it unescaped into the document. This breaks the intended boundary between data and code, allowing injected scripts to execute in the context of the victim's browser session.
Impact
The National Vulnerability Database rates this flaw with a CVSS 3.1 score of 6.1 (Medium severity). The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N reflects that exploitation requires network access, low attack complexity, no privileges, but does require user interaction. The changed scope (S:C) indicates the vulnerable component impacts resources beyond its security scope. The confidentiality and integrity impacts are rated Low, with no availability impact. In practice, successful exploitation allows an attacker to execute JavaScript in a victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the Zimbra interface.
Exploitation Walkthrough
This section describes the attack flow from a defensive perspective to aid understanding and detection. No weaponized exploit code is provided.
An attacker crafts a calendar event or invitation containing malicious HTML with JavaScript payloads embedded within element attributes. When a victim views the calendar entry through the Zimbra web interface, the unsanitized markup is rendered directly into the page. The browser executes the injected script in the context of the authenticated user's session. Because the application trusts the rendered content, the script can access cookies, perform actions on behalf of the user, or redirect the victim to attacker-controlled infrastructure. This vulnerability was actively exploited in the wild beginning December 2021, with threat actors leveraging it as part of broader espionage campaigns.
Affected and Patched Versions
Affected products include Zimbra Collaboration Suite 8.8.x versions prior to 8.8.15 patch 30 (update 1). This encompasses all patch levels from the initial 8.8.15 release through patch 29. The vulnerability does not affect versions that have been updated to 8.8.15 patch 30 or later.
Remediation
Organizations should upgrade to Zimbra Collaboration Suite 8.8.15 patch 30 (update 1) or a later supported version as soon as possible. Zimbra released a hotfix on February 5, 2022. For environments where immediate patching is not feasible, consider the following compensating controls:
- Restrict external access to the Zimbra web interface to trusted networks or VPN-only connectivity.
- Implement Content Security Policy (CSP) headers to mitigate the impact of injected scripts.
- Enable multi-factor authentication to reduce the risk of session hijacking if exploitation occurs.
- Monitor for suspicious calendar invites from untrusted sources.
Detection
Security teams can detect potential exploitation through several methods:
- Monitor web proxy and WAF logs for calendar-related requests containing HTML with embedded JavaScript in element attributes.
- Review Zimbra access logs for anomalous patterns following calendar event creation or viewing.
- Deploy endpoint detection and response (EDR) solutions to identify browser processes spawning unexpected child processes or making suspicious outbound connections after Zimbra usage.
- Look for unauthorized administrative actions or email forwarding rules created shortly after calendar events are viewed.
Assessment
With an EPSS score of 0.3106 and a percentile ranking of 98.046, this vulnerability sits in the highest tier of exploitation probability. Its inclusion in CISA's Known Exploited Vulnerabilities catalog on February 25, 2022, and confirmation of in-the-wild exploitation since December 2021 underscore its real-world threat. The relatively accessible attack vector—network-based, low complexity, no privileges required—combined with active exploitation by advanced threat actors makes this a high-priority patching target despite its Medium CVSS base score.
Key lessons from this case include: (1) client-side input sanitization alone is insufficient; server-side output encoding must be applied consistently, especially for rich-content features like calendars, and (2) CVSS base scores do not always capture active exploitation context—security teams should weight EPSS and KEV status heavily when prioritizing patch queues.
References
- https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24682
Frequently asked questions
- What is CVE-2022-24682?
- An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.
- How severe is CVE-2022-24682?
- CVE-2022-24682 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2022-24682 being actively exploited?
- Yes. CVE-2022-24682 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-24682?
- CVE-2022-24682 primarily affects Synacor Zimbra Collaboration Suite. In total, 31 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-24682?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-24682 have an EU (EUVD) identifier?
- Yes. CVE-2022-24682 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-29554. It is also flagged as exploited in the EUVD (since 2022-02-25).
- When was CVE-2022-24682 published?
- CVE-2022-24682 was published on 2022-02-09 and last updated on 2026-06-17.
References
- https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24682
Affected products (31)
- cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:-:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p1:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p10:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p11:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p12:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p13:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p14:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p15:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p16:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p17:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p18:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p19:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p2:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p20:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p21:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p22:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p23:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p24:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p25:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p26:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p27:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p28:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p29:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p3:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p4:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p5:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p6:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p7:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p8:*:*:*:*:*:*
- cpe:2.3:a:synacor:zimbra_collaboration_suite:8.8.15:p9:*:*:*:*:*:*
More vulnerabilities in Synacor Zimbra Collaboration Suite
- CVE-2024-45519 — Critical (CVSS 10.0): The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before…
- CVE-2022-41352 — Critical (CVSS 9.8): An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through…
- CVE-2022-37042 — Critical (CVSS 9.8): Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts…
- CVE-2020-7796 — Critical (CVSS 9.8): Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is…
- CVE-2019-9670 — Critical (CVSS 9.8): mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection…
- CVE-2019-6980 — Critical (CVSS 9.8): Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component.
All CVEs affecting Synacor Zimbra Collaboration Suite →
Other CWE-116 vulnerabilities
- CVE-2025-55730 — Critical (CVSS 10.0): XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in…
- CVE-2025-55729 — Critical (CVSS 10.0): XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in…
- CVE-2023-47143 — Critical (CVSS 10.0): IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection,…
- CVE-2023-26472 — Critical (CVSS 9.9): XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with…
- CVE-2022-41934 — Critical (CVSS 9.9): XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with…
- CVE-2022-36100 — Critical (CVSS 9.9): XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform.…