Unrated severityCISA KEVNVD Advisory· Published Feb 9, 2022· Updated Oct 21, 2025

CVE-2022-24682

Description

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.

Affected products

Zimbra/Zimbra Collaboration Suitedescription

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/mitrex_refsource_MISC
wiki.zimbra.com/wiki/Security_Centermitrex_refsource_MISC
wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30mitrex_refsource_MISC
wiki.zimbra.com/wiki/Zimbra_Security_Advisoriesmitrex_refsource_MISC
www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.071
exploit	0.000
kev	0.120
patch	0.000
ransomware	0.060