CVE-2022-24682

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24682

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24682.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-24682

Published

2022-02-09T04:15:07Z

Modified

2025-11-09T15:06:21.369793Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.

References

Affected packages

Git

github.com/zimbra/zm-mailbox

Affected ranges

Type: GIT
Repo: https://github.com/zimbra/zm-mailbox
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d30e647f21ecef5490f21facf2e06e228b44a36e

Affected versions

8.*

8.7.10

8.7.11

8.7.6

8.7.7

8.7.9

8.8.0.beta1

8.8.10

8.8.11

8.8.12

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "130804680382483964301386928646396783356",
            "length": 461.0
        },
        "target": {
            "file": "store/src/java/com/zimbra/cs/account/ldap/LdapProvisioning.java",
            "function": "updateLastLogon"
        },
        "signature_version": "v1",
        "id": "CVE-2022-24682-4314dc38",
        "deprecated": false,
        "source": "https://github.com/zimbra/zm-mailbox/commit/d30e647f21ecef5490f21facf2e06e228b44a36e"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "35532726304441886843822597725517922529",
                "86869606749296562789619135716824747966",
                "329209388892522800440224682947664957145",
                "301198994465565842404478996247629867721",
                "249110717571679374632676844697594286961",
                "165150619554600532748713227738510509377",
                "135793442757343879754509969633552703576",
                "99023990949396355242231588957425096724"
            ]
        },
        "target": {
            "file": "store/src/java/com/zimbra/cs/account/ldap/LdapProvisioning.java"
        },
        "signature_version": "v1",
        "id": "CVE-2022-24682-96c6e311",
        "deprecated": false,
        "source": "https://github.com/zimbra/zm-mailbox/commit/d30e647f21ecef5490f21facf2e06e228b44a36e"
    }
]

github.com/zimbra/zm-zcs

Affected ranges

Type: GIT
Repo: https://github.com/zimbra/zm-zcs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6c72db05e6f1b89c511ba5c08ec4b6399bec7bb6

Affected versions

8.*

8.7.10

8.7.11

8.7.6

8.7.7

8.7.9

8.8.0.beta1

8.8.0beta2

8.8.10

8.8.11

8.8.12

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

github.com/zimbra/zm-zcs-lib

Affected ranges

Type: GIT
Repo: https://github.com/zimbra/zm-zcs-lib
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

41db44a222b547dcc89ab50273cb8684195c09c2

Affected versions

8.*

8.7.10

8.7.11

8.7.6

8.7.7

8.7.9

8.8.0.beta1

8.8.10

8.8.11

8.8.12

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

github.com/zimbra/zm-build

Affected ranges

Type: GIT
Repo: https://github.com/zimbra/zm-build
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ac6081fa002b1511e926aba37740d2b6c20f3f43

Affected versions

8.*

8.7.10

8.7.11

8.7.6

8.7.7

8.7.9

8.8.0.beta1

8.8.10

8.8.11

8.8.11.p3

8.8.12

8.8.2

8.8.3

8.8.4

8.8.6

8.8.7

8.8.8

8.8.9

8.8.9.p1

8.8.9.p3