Zimbra Webmail Platform Bugs Gave Access To Mail Servers

Two safety bugs in Zimbra webmail may enable an adversary to entry and management mail servers. While the vulnerabilities have acquired a repair, they doubtlessly risked hundreds of enterprises globally.

Zimbra Bugs Exposed Mail Servers

Researchers from SonarSource discovered two totally different safety bugs within the open-source webmail platform Zimbra, exploiting which may expose mail servers.

Zimbra is a devoted software program suite with an online shopper and an e-mail server. Besides emails, it additionally helps chats, doc sharing, videoconferencing, and integration with different mail shoppers resembling Mozilla Thunderbird, Apple Mail, and Microsoft Outlook.

Specifically, one of many bugs features a stored XSS vulnerability (CVE-2021-35208) within the Calendar Invite element. It’s a medium severity bug with a severity rating of 5.4.

Exploiting this bug merely required an attacker to ship a malicious e-mail to the goal person. Once the sufferer opens that e-mail, a JavaScript payload would execute, giving the attacker entry to all sufferer emails.

Whereas the researchers have recognized the second vulnerability as an SSRF (CVE-2021-35209) permitting whitelist bypass. Though exploiting this bug required the attacker to have an authenticated entry, it didn’t matter what position the attacker would have. Thus, combining it with the primary bug may enable entry to the cloud infrastructure and extract delicate information.

In a real-world situation, these bugs may simply set off large-scale phishing assaults in opposition to enterprises. The researchers have shared the technical particulars in regards to the vulnerabilities in a blog post.

Patches Deployed

After discovering these bugs, SonarSource reached out to Zimbra, which then patched each of them.

According to the seller’s advisories, Zimbra fastened the bugs with Patch 23 of Zimbra 8.8.15 and Patch 16 of Zimbra 9.0.0.

Given the severity of the failings if exploited, all customers should replace the respective releases to remain protected from potential assaults.

Let us know your ideas within the feedback.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Zimbra Bugs Exposed Mail Servers

Patches Deployed

Related Posts

How to Fix It When Outlook Keeps Asking for a Password

Hillary Clinton’s email server is why this race is still close

Judicial Watch Settles Historic Hillary Clinton Email Lawsuit!

Email Hosting Services Market Rewriting Long Term Growth Story As Revealed In New Report

But Their Emails: Republicans React to Their Own Email Scandal

Dedicated SMTP Server For Bulk Mailing | By Time4Servers | by Time4Servers Technologies | Apr, 2024