"Zimbra Server Bugs Could Lead to Email Plundering"

According to Zimbra’s site, its email and collaboration tools are used by over 200,000 businesses, over a thousand government and financial institutions, and hundreds of millions of users to exchange emails every day.  Researchers at SonarSource discovered that the Zimbra webmail server has two flaws that could let an attacker paw through the inbox and outbox of all the employees in all the enterprises that use the immensely popular collaboration tool.   The first flaw could be triggered just by opening a malicious email containing a JavaScript payload. If a victim were to open such a rigged email, they would trigger a cross-site scripting (XSS) bug (CVE-2021-35208) in their browser. When executed, that payload would provide an attacker with access to the victim’s emails, as well as their webmail session, the researchers stated.  The second flaw is a bypass of an allow-list that leads to a powerful server-side request forgery (SSRF) vulnerability (CVE-2021-35209) that can be exploited by an authenticated account belonging to a member of a targeted organization who has any permission role whatsoever.  The two bugs, if combined, would give a remote attacker the power to extract precious goodies, including Google Cloud API Tokens or AWS IAM credentials from instances within the cloud infrastructure.  The issues were reported to Zimbra on May 20 and 22, and patches were released on June 28 for the 8.8.15 and 9.0 series.

Threatpost reports: "Zimbra Server Bugs Could Lead to Email Plundering"