zimbra collaboration CVE-2022-27926 is a vulnerability in Zimbra Collaboration
Published on April 21, 2022

A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability by allowing an endpoint URL to accept parameters without sanitizing.

The following remediation steps are recommended / required by April 24, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2022-27926 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2022-27926 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2022-27926

You can be notified by stack.watch whenever vulnerabilities like CVE-2022-27926 are published in these products:

Zimbra Collaboration
 

What versions of Collaboration are vulnerable to CVE-2022-27926?