CVE-2022-24682: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the Calendar feature of Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1). The vulnerability was actively exploited in the wild starting from December 2021. The issue allowed attackers to place HTML containing executable JavaScript inside element attributes, which became unescaped, leading to arbitrary markup injection into the document (Volexity Blog, CISA Advisory).

The vulnerability (CVE-2022-24682) has a CVSS score of 6.1 (Medium severity) and affects the HTML client in Zimbra Collaboration Suite 8.8.15. The vulnerability exists in the Calendar feature where an attacker could inject malicious HTML containing JavaScript code inside element attributes. When this markup becomes unescaped, it allows arbitrary code execution in the context of the user's Zimbra session (NVD, Volexity Blog).

When successfully exploited, the vulnerability allows attackers to steal user mail data and attachments, exfiltrate cookies to gain persistent access to mailboxes, send phishing messages to user's contacts, and present malware download prompts in the context of a trusted website (Volexity Blog).

Zimbra released a hotfix (version 8.8.15 P30) on February 5, 2022, to address this vulnerability. Organizations were strongly encouraged to update to the latest patch. The vulnerability does not affect version 9.0.0 since the HTML client is not available in that version (Zimbra Blog).

CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog on February 25, 2022, citing evidence of active exploitation in the wild. Federal agencies were given until March 11, 2022, to apply the security updates (Hacker News).