CVE-2022-27926

MEDIUM KEV NUCLEI

Synacor Zimbra Collaboration Suite - XSS

Title source: rule

Description

A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

Nuclei Templates (1)

Zimbra Collaboration (ZCS) - Cross Site Scripting

MEDIUMVERIFIEDby rootxharsh,iamnoooob,pdresearch

Shodan: http.favicon.hash:"1624375939" || http.favicon.hash:"475145467"

FOFA: app="zimbra-邮件系统" || icon_hash="475145467" || icon_hash="1624375939"

References (4)

[Vendor Advisory] https://wiki.zimbra.com/wiki/Security_Center

[Release Notes, Vendor Advisory] https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24

[Vendor Advisory] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27926

Scores

CVSS v3 6.1

EPSS 0.9413

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CISA KEV 2023-04-03

VulnCheck KEV 2023-03-30

InTheWild.io 2023-04-03

ENISA EUVD EUVD-2022-32414

CWE

CWE-79

Status published

Products (1)

synacor/zimbra_collaboration_suite 9.0.0 (24 CPE variants)

Published Apr 21, 2022

KEV Added Apr 03, 2023

Tracked Since Feb 18, 2026