The Zimbra webmail solution is affected by two serious vulnerabilities that could allow an attacker to gain complete access to an organisation’s sent and received emails. Zimbra released patches in June for these vulnerabilities, which a researcher at SonarSource discovered.
CVE-2021-35208, the first of these vulnerabilities, is a stored cross-site scripting vulnerability affecting the Document Object Model (DOM) that can be triggered by an incoming mail. This can be chained with a second vulnerability, CVE-20201-35209, an open redirect leading to a server-side request forgery attack that extracts tokens and credentials from Zimbra instances within the cloud infrastructure.
A single email is enough to exploit both CVEs. But, more disturbingly, the attack works despite the controls in place. Zimbra makes use of the OWASP HTML-Sanitizer, which ironically allows the first CVE to execute. In addition, Zimbra clients may transform the trusted HTML of an email afterwards to display it in the way it was intended, leading to corruption of the HTML, opening the door to cross-site scripting attacks.
The second CVE was identified in the Webex integration supported by Zimba, where a proxy forwards all HTTP traffic to URLs that match all possible subdomains of webex.com.
The Impact:
Successful exploitation of these vulnerabilities could allow an attacker unauthenticated access to an organisation’s sent and received emails. This includes any sensitive information within the inboxes and would enable the attacker to set email forwarding rules to obtain any future email correspondence.
The remediation:
Both vulnerabilities have been patched in with the release of Zimbra 9.0.0. P16 and 8.8.15 P23. Enterprise users running vulnerable versions should apply the patch as soon as possible. These patches have been available since late June. Learn more about the patches.
NOTE: Zimbra claims to have more than 200,000 business clients. Over 1000 of these clients are government and financial institutions. In addition, almost 500 clients are service providers.
Source: Security Week