Cyber Resilience

CVE-2022-27926

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 21 April 2022

Published
21 April 2022
Modified
31 October 2025
KEV Added
03 April 2023
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.9413 99.9th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-27926 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

A reflected cross-site scripting vulnerability exists in the /public/launchNewWindow.jsp component of Zimbra Collaboration (ZCS) version 9.0. The flaw, tracked as CVE-2022-27926 and assigned CWE-79, permits injection of arbitrary web script or HTML through request parameters and carries a CVSS 3.1 score of 6.1 reflecting network attack vector, low complexity, no required privileges, and required user interaction with changed scope.

Unauthenticated remote attackers can exploit the issue by supplying a crafted URL that reflects malicious content back to a victim who follows the link. Successful exploitation allows execution of attacker-controlled script in the context of the Zimbra application, enabling theft of session tokens, redirection to malicious sites, or other client-side actions limited to the confidentiality and integrity impacts described in the vector.

Zimbra security advisories and release notes for version 9.0.0/P24, published on the vendor wiki, identify the affected component and direct administrators to apply the corresponding patch to eliminate the reflected XSS vector.

The associated EPSS reaches a peak of 0.9620 with a current value of 0.9413, indicating sustained and elevated exploitation probability after disclosure.

EU & UK References

Vulnerability details

A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

CWE(s)
KEV Date Added
03 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synacor
zimbra collaboration suite
9.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted request parameters before they are rendered in launchNewWindow.jsp, blocking the reflected script injection.

prevent

Requires filtering of information output by the JSP component so that attacker-supplied script or HTML is neutralized before reaching the victim's browser.

SC-18 Mobile Code partial match
prevent

Limits or inspects mobile/active code (e.g., JavaScript) delivered through the affected public endpoint, reducing the ability of reflected payloads to execute.

References