Zimbra Webmail Platform Vulnerabilities Discovered That Could Compromise Mail Servers

Two security bugs in Zimbra webmail could allow an adversary to access and control mail servers. While the vulnerabilities have received a fix, they potentially risked thousands of enterprises globally.

Zimbra Bugs Exposed Mail Servers

Researchers from SonarSource found two different security bugs in the open-source webmail platform Zimbra, exploiting which could expose mail servers.

Zimbra is a dedicated software suite with a web client and an email server. Besides emails, it also supports chats, document sharing, videoconferencing, and integration with other mail clients such as Mozilla Thunderbird, Apple Mail, and Microsoft Outlook.

Specifically, one of the bugs includes a stored XSS vulnerability (CVE-2021-35208) in the Calendar Invite component. It’s a medium severity bug with a severity score of 5.4.

Exploiting this bug merely required an attacker to send a malicious email to the target user. Once the victim opens that email, a JavaScript payload would execute, giving the attacker access to all victim emails.

Whereas the researchers have identified the second vulnerability as an SSRF (CVE-2021-35209) allowing whitelist bypass. Though exploiting this bug required the attacker to have an authenticated access, it didn’t matter what role the attacker would have. Thus, combining it with the first bug could allow access to the cloud infrastructure and extract sensitive data.

In a real-world scenario, these bugs could easily trigger large-scale phishing attacks against enterprises. The researchers have shared the technical details about the vulnerabilities in a blog post.

Patches Deployed

After discovering these bugs, SonarSource reached out to Zimbra, which then patched both of them.

According to the vendor’s advisories, Zimbra fixed the bugs with Patch 23 of Zimbra 8.8.15 and Patch 16 of Zimbra 9.0.0.

Given the severity of the flaws if exploited, all users must update the respective releases to stay safe from potential attacks.

Let us know your thoughts in the comments.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs