CVE-2022-27926
Published: 21 April 2022
Summary
CVE-2022-27926 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
A reflected cross-site scripting vulnerability exists in the /public/launchNewWindow.jsp component of Zimbra Collaboration (ZCS) version 9.0. The flaw, tracked as CVE-2022-27926 and assigned CWE-79, permits injection of arbitrary web script or HTML through request parameters and carries a CVSS 3.1 score of 6.1 reflecting network attack vector, low complexity, no required privileges, and required user interaction with changed scope.
Unauthenticated remote attackers can exploit the issue by supplying a crafted URL that reflects malicious content back to a victim who follows the link. Successful exploitation allows execution of attacker-controlled script in the context of the Zimbra application, enabling theft of session tokens, redirection to malicious sites, or other client-side actions limited to the confidentiality and integrity impacts described in the vector.
Zimbra security advisories and release notes for version 9.0.0/P24, published on the vendor wiki, identify the affected component and direct administrators to apply the corresponding patch to eliminate the reflected XSS vector.
The associated EPSS reaches a peak of 0.9620 with a current value of 0.9413, indicating sustained and elevated exploitation probability after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32414
Vulnerability details
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
- CWE(s)
- KEV Date Added
- 03 April 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted request parameters before they are rendered in launchNewWindow.jsp, blocking the reflected script injection.
Requires filtering of information output by the JSP component so that attacker-supplied script or HTML is neutralized before reaching the victim's browser.
Limits or inspects mobile/active code (e.g., JavaScript) delivered through the affected public endpoint, reducing the ability of reflected payloads to execute.