Security News > 2021 > July > Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email

Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email
2021-07-27 15:09

Vulnerabilities in the Zimbra enterprise webmail solution could allow an attacker to gain unrestricted access to an organization's sent and received email messages, software security firm SonarSource reveals.

In June, Zimbra released patches for multiple security issues in the webmail solution, including two bugs identified by Simon Scannell, a security researcher with SonarSource.

The flaws could allow an unauthenticated attacker to compromise the webmail server of an organization and gain access to all employee email messages.

Tracked as CVE-2021-35208, the first of the vulnerabilities is a DOM-based stored cross-site scripting bug that an attacker could trigger when the victim views an incoming email.

An attacker looking to exploit the issue has to include crafted JavaScript code in the email.

SonarSource told SecurityWeek that a single email sent by the attacker to a user within the targeted organization is enough to exploit the two vulnerabilities.


News URL

http://feedproxy.google.com/~r/securityweek/~3/XUawdZI4S34/vulnerabilities-allow-hacking-zimbra-webmail-servers-single-email

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-02 CVE-2021-35208 Cross-site Scripting vulnerability in Zimbra Collaboration
An issue was discovered in ZmMailMsgView.js in the Calendar Invite component in Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23.
network
low complexity
zimbra CWE-79
5.4
5.4

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zimbra 7 0 39 16 8 63