Cybersecurity researchers have found a number of safety vulnerabilities in Zimbra electronic mail collaboration software program that might be doubtlessly exploited to compromise electronic mail accounts by sending a malicious message and even obtain a full takeover of the mail server when hosted on a cloud infrastructure.
The failings — tracked as CVE-2021-35208 and CVE-2021-35208 — had been found and reported in Zimbra 8.8.15 by researchers from code high quality and safety options supplier SonarSource in Could 2021. Mitigations have since been released in Zimbra variations 8.8.15 Patch 23 and 9.0.0 Patch 16.
- CVE-2021-35208 (CVSS rating: 5.4) – Saved XSS Vulnerability in ZmMailMsgView.java
- CVE-2021-35209 (CVSS rating: 6.1) – Proxy Servlet Open Redirect Vulnerability
“A mixture of those vulnerabilities might allow an unauthenticated attacker to compromise a whole Zimbra webmail server of a focused group,” said SonarSource vulnerability researcher, Simon Scannell, who recognized the safety weaknesses. “In consequence, an attacker would achieve unrestricted entry to all despatched and acquired emails of all workers.”
Zimbra is a cloud-based electronic mail, calendar, and collaboration suite for enterprises and is obtainable each as an open-source model and a commercially supported model with further options reminiscent of a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, amongst others. It is used by over 200,000 companies throughout 160 international locations.
“The draw back of utilizing server-side sanitization is that each one three shoppers might remodel the trusted HTML of an electronic mail afterwards to show it of their distinctive means,” Scannell mentioned. “Transformation of already sanitized HTML inputs can result in corruption of the HTML after which to XSS assaults.”
Alternatively, CVE-2021-35208 pertains to a server aspect request forgery (SSRF) assault whereby an authenticated member of a corporation can chain the flaw with the aforementioned XSS situation to redirect the HTTP shopper utilized by Zimbra to an arbitrary URL and extract delicate info from the cloud, together with Google Cloud API entry tokens and IAM credentials from AWS, resulting in its compromise.
“Zimbra wish to alert its prospects that it’s doable for them to introduce an SSRF safety vulnerability within the Proxy Servlet,” the corporate noted in its advisory. “If this servlet is configured to permit a specific area (through zimbraProxyAllowedDomains configuration setting), and that area resolves to an inside IP deal with (reminiscent of 127.0.0.1), an attacker might probably entry providers working on a unique port on the identical server, which might usually not be uncovered publicly.”