Security News > 2022 > February > CISA adds recently disclosed Zimbra bug to its Exploited Vulnerabilities Catalog

CISA adds recently disclosed Zimbra bug to its Exploited Vulnerabilities Catalog
2022-02-28 20:37

The U.S. Cybersecurity and Infrastructure Security Agency expanded its Known Exploited Vulnerabilities Catalog to include a recently disclosed zero-day flaw in the Zimbra email platform citing evidence of active exploitation in the wild.

Tracked as CVE-2022-24682, the issue concerns a cross-site scripting vulnerability in the Calendar feature in Zimbra Collaboration Suite that could be abused by an attacker to trick users into downloading arbitrary JavaScript code simply by clicking a link to exploit URLs in phishing messages.

The Known Exploited Vulnerabilities Catalog is a repository of security flaws that have been seen abused by threat actors in attacks and that are required to be patched by Federal Civilian Executive Branch agencies.

Zimbra has since pushed out a hotfix to remediate the flaw.

Due to the potential impact of this vulnerability, CISA has given federal agencies until March 11, 2022, to apply the security updates.

In addition to CVE-2022-24682, CISA has also added the following three vulnerabilities to the catalog -.


News URL

https://thehackernews.com/2022/02/cisa-adds-recently-disclosed-zimbra-bug.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-09 CVE-2022-24682 Improper Encoding or Escaping of Output vulnerability in Zimbra Collaboration
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021.
network
low complexity
zimbra CWE-116
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zimbra 7 0 39 16 8 63