Security News > 2021 > July > New Bug Could Let Attackers Hijack Zimbra Server by Sending Malicious Email

New Bug Could Let Attackers Hijack Zimbra Server by Sending Malicious Email
2021-07-27 08:46

Cybersecurity researchers have discovered multiple security vulnerabilities in Zimbra email collaboration software that could be potentially exploited to compromise email accounts by sending a malicious message and even achieve a full takeover of the mail server when hosted on a cloud infrastructure.

"A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization," said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses.

Zimbra is a cloud-based email, calendar, and collaboration suite for enterprises and is available both as an open-source version and a commercially supported version with additional features such as a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, among others.

CVE-2021-35208 concerns a cross-site scripting vulnerability in the Calendar Invite component that can be triggered in a victim's browser upon viewing a specially-crafted email message containing a JavaScript payload that, when executed, grants access to the target's entire inbox as well as the web client session, which can then be abused to launch further attacks.

The problem stems from the fact that the Zimbra web clients - an Ajax-based desktop client, a static HTML client, and a mobile-optimized client - perform the sanitization of the HTML content of incoming emails on the server-side and in a manner that enables a bad actor to inject rogue JavaScript code.

On the other hand, CVE-2021-35208 relates to a server side request forgery attack wherein an authenticated member of an organization can chain the flaw with the aforementioned XSS issue to redirect the HTTP client used by Zimbra to an arbitrary URL and extract sensitive information from the cloud, including Google Cloud API access tokens and IAM credentials from AWS, leading to its compromise.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/1m_T-2HPMA8/new-bug-could-let-attackers-hijack.html

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-02 CVE-2021-35208 Cross-site Scripting vulnerability in Zimbra Collaboration
An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23.
network
low complexity
zimbra CWE-79
5.4
5.4

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zimbra 7 0 39 16 8 63