CVE-2022-27926
MEDIUM KEV NUCLEIZimbra Collaboration Suite 9.0 - Reflected XSS via /public/launchNewWindow.jsp
Title source: llmExploitation Summary
CVE-2022-27926 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 3, 2023. A Nuclei detection template is also available.
Description
A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
Nuclei Templates (1)
Zimbra Collaboration (ZCS) - Cross Site Scripting
MEDIUMVERIFIEDby rootxharsh,iamnoooob,pdresearch
Shodan:
http.favicon.hash:"1624375939" || http.favicon.hash:"475145467"
FOFA:
app="zimbra-邮件系统" || icon_hash="475145467" || icon_hash="1624375939"
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Security_Center
Release Notes, Vendor Advisory x_refsource_misc
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27926
Scores
CVSS v3
6.1
EPSS
0.9413
EPSS Percentile
99.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
partial
Details
CISA KEV
2023-04-03
VulnCheck KEV
2023-03-30
InTheWild.io
2023-04-03
ENISA EUVD
EUVD-2022-32414
CWE
CWE-79
Status
published
Products (1)
synacor/zimbra_collaboration_suite
9.0.0 (24 CPE variants)
Published
Apr 21, 2022
KEV Added
Apr 03, 2023
Tracked Since
Feb 18, 2026