{"id":"CVE-2022-24682","details":"An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.","modified":"2025-12-10T10:07:59.699122Z","published":"2022-02-09T04:15:07.400Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24682"},{"type":"ADVISORY","url":"https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Security_Center"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"},{"type":"EVIDENCE","url":"https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-build","events":[{"introduced":"0"},{"fixed":"ac6081fa002b1511e926aba37740d2b6c20f3f43"}]}],"versions":["8.7.10","8.7.11","8.7.6","8.7.7","8.7.9","8.8.0.beta1","8.8.10","8.8.11","8.8.11.p3","8.8.12","8.8.2","8.8.3","8.8.4","8.8.6","8.8.7","8.8.8","8.8.9","8.8.9.p1","8.8.9.p3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24682.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-mailbox","events":[{"introduced":"0"},{"fixed":"d30e647f21ecef5490f21facf2e06e228b44a36e"}]}],"versions":["8.7.10","8.7.11","8.7.6","8.7.7","8.7.9","8.8.0.beta1","8.8.10","8.8.11","8.8.12","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24682.json","vanir_signatures":[{"id":"CVE-2022-24682-4314dc38","signature_version":"v1","digest":{"function_hash":"130804680382483964301386928646396783356","length":461},"signature_type":"Function","target":{"function":"updateLastLogon","file":"store/src/java/com/zimbra/cs/account/ldap/LdapProvisioning.java"},"deprecated":false,"source":"https://github.com/zimbra/zm-mailbox/commit/d30e647f21ecef5490f21facf2e06e228b44a36e"},{"id":"CVE-2022-24682-96c6e311","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["35532726304441886843822597725517922529","86869606749296562789619135716824747966","329209388892522800440224682947664957145","301198994465565842404478996247629867721","249110717571679374632676844697594286961","165150619554600532748713227738510509377","135793442757343879754509969633552703576","99023990949396355242231588957425096724"]},"signature_type":"Line","target":{"file":"store/src/java/com/zimbra/cs/account/ldap/LdapProvisioning.java"},"deprecated":false,"source":"https://github.com/zimbra/zm-mailbox/commit/d30e647f21ecef5490f21facf2e06e228b44a36e"}]}},{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-zcs","events":[{"introduced":"0"},{"fixed":"6c72db05e6f1b89c511ba5c08ec4b6399bec7bb6"}]}],"versions":["8.7.10","8.7.11","8.7.6","8.7.7","8.7.9","8.8.0.beta1","8.8.0beta2","8.8.10","8.8.11","8.8.12","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24682.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-zcs-lib","events":[{"introduced":"0"},{"fixed":"41db44a222b547dcc89ab50273cb8684195c09c2"}]}],"versions":["8.7.10","8.7.11","8.7.6","8.7.7","8.7.9","8.8.0.beta1","8.8.10","8.8.11","8.8.12","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24682.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}