cbcvebase.
CVE-2022-27926
published 2022-04-21

CVE-2022-27926: A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated…

PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-04-24
Exploited in the wild
EPSS
17.25%
96.7th percentile
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

Affected

1 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

path/public/launchNewWindow.jsp
url{{BaseURL}}/public/error.jsp?errCode=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E
  • Match HTTP 200 response body containing the string 'Title???' to confirm successful XSS reflection in the vulnerable Zimbra endpoint.
  • Confirm Content-Type header is text/html in the response alongside the body match for the Zimbra XSS probe.
  • Use Shodan favicon hashes 1624375939 and 475145467 to identify internet-exposed Zimbra Collaboration Suite instances for targeted scanning.
  • Use FOFA queries for Zimbra icon hashes to identify exposed ZCS instances: icon_hash='475145467' or icon_hash='1624375939'.
  • CVE-2022-27926 was actively exploited by Winter Vivern (TA473) in early 2023 against NATO countries to steal emails; treat any anomalous requests to /public/launchNewWindow.jsp with injected parameters as high-priority alerts.
  • ·The vulnerability affects Zimbra Collaboration (ZCS) 9.0 specifically; the fix is included in patch release 9.0.0 P24.
  • ·The vulnerability is unauthenticated and exploitable via GET request parameters — no session or credentials are required, lowering the bar for exploitation.
  • ·CISA flagged this as a Known Exploited Vulnerability with a remediation due date of 2023-04-24 for FCEB agencies; the root cause is lack of input sanitization on endpoint URL parameters.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.