CVE-2022-27926
published 2022-04-21CVE-2022-27926: A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated…
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-04-24
Exploited in the wild
EPSS
17.25%
96.7th percentile
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/public/error.jsp?errCode=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E
- →Match HTTP 200 response body containing the string 'Title???' to confirm successful XSS reflection in the vulnerable Zimbra endpoint.
- →Confirm Content-Type header is text/html in the response alongside the body match for the Zimbra XSS probe.
- →Use Shodan favicon hashes 1624375939 and 475145467 to identify internet-exposed Zimbra Collaboration Suite instances for targeted scanning.
- →Use FOFA queries for Zimbra icon hashes to identify exposed ZCS instances: icon_hash='475145467' or icon_hash='1624375939'.
- →CVE-2022-27926 was actively exploited by Winter Vivern (TA473) in early 2023 against NATO countries to steal emails; treat any anomalous requests to /public/launchNewWindow.jsp with injected parameters as high-priority alerts. ↗
- ·The vulnerability affects Zimbra Collaboration (ZCS) 9.0 specifically; the fix is included in patch release 9.0.0 P24.
- ·The vulnerability is unauthenticated and exploitable via GET request parameters — no session or credentials are required, lowering the bar for exploitation. ↗
- ·CISA flagged this as a Known Exploited Vulnerability with a remediation due date of 2023-04-24 for FCEB agencies; the root cause is lack of input sanitization on endpoint URL parameters. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-chc6-9436-6wfq: A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow
ghsa_unreviewed·2022-04-22
CVE-2022-27926 [MEDIUM] CWE-79 GHSA-chc6-9436-6wfq: A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
vulncheck·2022·CVSS 6.1
CVE-2022-27926 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability by allowing an endpoint URL to accept parameters without sanitizing.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.welivesecurity.com/wp-content/uploads/2023/05/eset_apt_activity_report_q42022_q12023.pdf; https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-be
CISA
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
cisa·2023-04-03·CVSS 6.1
CVE-2022-27926 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability by allowing an endpoint URL to accept parameters without sanitizing.
Required Action: Apply updates per vendor instructions.
Notes: https://wiki.zimbra.com/wiki/Security_Center; https://nvd.nist.gov/vuln/detail/CVE-2022-27926
Remediation Due Date: 2023-04-24
No detection rules found.
Nuclei
Zimbra Collaboration (ZCS) - Cross Site Scripting
nuclei·CVSS 6.1
CVE-2022-27926 [MEDIUM] Zimbra Collaboration (ZCS) - Cross Site Scripting
Zimbra Collaboration (ZCS) - Cross Site Scripting
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
Template:
id: CVE-2022-27926
info:
name: Zimbra Collaboration (ZCS) - Cross Site Scripting
author: rootxharsh,iamnoooob,pdresearch
severity: medium
description: |
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in t
Bleepingcomputer
CISA: Roundcube email server bug now exploited in attacks
blogs_bleepingcomputer·2024-02-12·CVSS 6.1
CVE-2023-43770 [MEDIUM] CISA: Roundcube email server bug now exploited in attacks
## CISA: Roundcube email server bug now exploited in attacks
## Sergiu Gatlan
CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.
The security flaw ( CVE-2023-43770 ) is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information via plain/text messages maliciously crafted links in low-complexity attacks requiring user interaction.
The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.
"We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version," the Roundcube security team said when it released CVE-2023-43770 security updates five months ago.
Whi
Bleepingcomputer
European govt email servers hacked using Roundcube zero-day
blogs_bleepingcomputer·2023-10-25·CVSS 6.1
CVE-2023-5631 [MEDIUM] European govt email servers hacked using Roundcube zero-day
## European govt email servers hacked using Roundcube zero-day
## Sergiu Gatlan
The Winter Vivern Russian hacking group has been exploiting a Roundcube Webmail zero-day in attacks targeting European government entities and think tanks since at least October 11.
The Roundcube development team released security updates fixing the Stored Cross-Site Scripting (XSS) vulnerability ( CVE-2023-5631 ) reported by ESET researchers on October 16.
These security patches were pushed five days after the Slovak cybersecurity company detected Russian threat actors using the zero-day in real-world attacks.
According to ESET's findings, the cyberespionage group (also known as TA473) used HTML email messages containing carefully crafted SVG documents to remotely inject arbitrary JavaScript code.
Their
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27926
2022-04-21
Published
2023-04-03
Added to CISA KEV
Exploited in the wild