Multiple security vulnerabilities in Zimbra email collaboration software

  • CERT Admin
  • Thu Jul 29 2021
  • Alerts

Components Affected 

· Zimbra webmail platform prior to the version 8.8.15 

Threat Level 

Medium

Overview 

Cybersecurity researchers have discovered multiple security vulnerabilities in Zimbra email collaboration software that could be potentially exploited to compromise email accounts by sending a malicious message and even achieve a full takeover of the mail server when hosted on a cloud infrastructure. 

Description 

CVE-2021-35208 concerns a cross-site scripting (XSS) vulnerability in the Calendar Invite component that can be triggered in a victim's browser upon viewing a
specially-crafted email message containing a JavaScript payload that, when executed, grants access to the target's entire inbox as well as the web client session, which can then be abused to launch further attacks. 

CVE-2021-35208 relates to a server side request forgery (SSRF) attack wherein an authenticated member of an organization can chain the flaw with the aforementioned XSS issue to redirect the HTTP client used by Zimbra to an arbitrary URL and extract sensitive information from the cloud, leading to its compromise. 

Impact 

· Expose sensitive information in the mailboxes 

Solution/ Workarounds 

· Apply the security mitigations have since been released in Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16: https://wiki.zimbra.co /wiki/Zimbra_Security_Advisories 

Reference 

· https://thehackernews.com/2021/07/new-bug-could-let-attackers-hijack.html?m=1 

· https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories 

Disclaimer 

The information provided herein is on an "as is" basis, without warranty of any kind. 

   

Last updated: Thu Jul 29 2021