Zimbra Vulnerabilities and Security Patches

Zimbra Vulnerabilities and Security Patches

( 2 min read )

Are you a Zimbra email user? Then you need to get your Zimbra server patched.

New Zimbra vulnerabilities have been discovered in the Zimbra software, which could open up your systems to infiltration and hacking.

At this point, only Zimbra 8.8.15 users with Patch 24 and Zimbra 9.0 users with Patch 17 are secured. If you are using older versions of Zimbra, or even the latest Zimbra without the vulnerability patch, you are exposed to an active threat.

Cybersecurity researchers have discovered critical security vulnerabilities in the Zimbra software that could prove to be dangerous to Zimbra users. These gaps in Zimbra security will allow cyber criminals to hack into email accounts through a malicious message and even achieve a full account takeover (ATO) of your mail server, when hosted on a cloud infrastructure.

Technical Details on The Zimbra Vulnerabilities

The flaws are officially tracked as CVE-2021-35208 and CVE-2021-35208.

  • CVE-2021-35208 – Stored XSS Vulnerability (Cross-Site Scripting bug)
  • CVE-2021-35209 – Server-Side Request Forgery

Zimbra’s Cross-Site Scripting Bug

CVE-2021-35208 concerns a cross-site scripting (XSS) vulnerability in the Calendar Invite component of Zimbra email. Using a malicious scripted payload, triggered in a victim’s browser upon viewing a specially-crafted, phishing email, the criminals get complete access to the victim’s entire inbox along with the web client session, allowing the hackers to launch other cyber-attacks.

This is possible because Zimbra web-based clients perform security checks on incoming HTML content only at the server-side. But since it is Ajax-based (simultaneous interactions on the browser side that doesn’t carry on to the server side), and Ajax runs on the client side (in short, your machine / browser), security vulnerabilities allow hackers to inject malicious JavaScript code (also a client-based scripting language) into your Zimbra web client.

Server-Side Request Forgery Bug in Zimbra

CVE-2021-35209 is Zimbra’s SSRF bug, which allows Zimbra web requests to be manipulated to cause redirections to hackers’ own websites. Zimbra webmail, which supports various integrations, also integrates with Webex. For this, Zimbra webmail requires some Ajax web requests to and from Webex interfaces. However, the Same-Origin-Policy (a security mechanism by browsers) prevents this from working.

As a workaround, Zimbra deploys a script to fetch the required details from a Webex URL. It relaxes its security policies to allow all such requests which contain the webex.com patterns.

The Zimbra vulnerability arises because of the X-Host header in such requests which can be meddled with to cause an unwelcome web redirect.

“A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization,” the involved security researchers said. “As a result, an attacker would gain unrestricted access to all sent and received emails of all employees.”

Installing the Zimbra Security Patches

These Zimbra vulnerabilities were realized and publicized for the Zimbra version 8.8.15 by security researchers, back in May 2021.

Logix InfoSecurity, the largest Platinum Partner for Zimbra, can help you tackle the issue.

Upgrading your Zimbra with the latest security patches is crucial, otherwise you may fall prey to account takeovers and worse cyber-attacks.

Logix is providing all Zimbra users with advisory services on how to secure your Zimbra solution.


For more security resources, visit the Logix Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *