CVE-2022-37044 — Vulnetix

CVE-2022-37044 PUBLISHED CVSS 6.099999904632568 MEDIUM

In Zimbra Collaboration Suite (ZCS) 8.8.15, the URL at /h/search?action accepts parameters called extra, title, and onload that are partially sanitised and lead to reflected XSS that allows executing arbitrary JavaScript on the victim's machine.

EPSS 1.40% · 80.8th percentile

Risk Scores

CVSS 3.1

6.099999904632568

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Score

1.40%

80.8th percentile

Affected Products

Vendor	Product	Versions
n/a	n/a	*
zimbra	collaboration	8.8.15

Exploit Intelligence

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (circl)
https://wiki.zimbra.com/wiki/Security_Center (circl)

Timeline

Aug 11, 2022 CVE Published
Aug 12, 2022 EPSS Score
Sep 27, 2022 EPSS Score
Nov 12, 2022 EPSS Score
Dec 28, 2022 EPSS Score
Feb 12, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 31, 2023 EPSS Score
May 16, 2023 EPSS Score
Jul 1, 2023 EPSS Score
Aug 16, 2023 EPSS Score
Oct 1, 2023 EPSS Score

References

https://wiki.zimbra.com/index.php/Zimbra_Releases/8.8.15/P33 advisory
https://wiki.zimbra.com/index.php/Zimbra_Releases/9.0.0/P26 advisory
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories url
https://wiki.zimbra.com/wiki/Security_Center url
https://nvd.nist.gov/vuln/detail/CVE-2022-37044 advisory

Open in Interactive Console →