Two Critical Vulnerabilities Identified in Zimbra Webmail Solution

SAM Vulnerability
Share It On:

11th November 2021, Kathmandu

Unpatched vulnerabilities are an entryway for attacker intrusions.

They make cybercriminals’ positions simple to break into designated network frameworks.

Network protection specialists from security firm SonarSource as of late revealed two basic vulnerabilities in Zimbra’s endeavor webmail arrangement that could permit an attacker to think twice about acquiring steady access to business email accounts.

Zimbra is a well-known open-source arrangement supplier for big business mail administrations to worldwide public and private associations.

The vulnerabilities, followed as CVE-2021-35208 and CVE-2021-35209, existed in Zimbra 8.8.15 adaptation.

“A mix of these vulnerabilities could empower an unauthenticated attacker to think twice about designated association’s Zimbra webmail server.

Subsequently, an attacker would acquire unlimited access to all sent and got messages, all things considered,” Zimbra said.

vulnerability1

Followed as CVE-2021-35208, this vulnerability is a Cross-Site Scripting (XSS) that triggers in a casualty program by means of a vindictive email with an uncommonly created JavaScript payload.

Whenever taken advantage of effectively, the blemish empowers an attacker to get illegal access to the casualties’ email accounts and their webmail meetings.

vulnerability2

Followed as CVE-2021-35209, this is a Server-Side Request Forgery (SSRF) blemish that can be taken advantage of by a distant attacker joining it with the XSS vulnerability. The flaw permits unapproved access to Zimbra’s HTTP customer and steals private data like access tokens and credentials from Google Cloud and Amazon Web Services.

Both the vulnerabilities could be taken advantage of by sending a solitary malevolent email to the designated client.

When the casualty opens the vindictive email, the JavaScript payload consequently sends and contaminates the Zimbra web interface to take advantage of the second defect in the backend.

Zimbra fixed both the defects in its most recent security update after SonarSource detailed the issue. “Zimbra might want to caution its clients that they can present an SSRF security vulnerability in the Proxy Servlet.

If this servlet is designed to permit a specific area (through zimbraProxyAllowedDomains setup setting), and that space makes plans to an inner IP address, (for example, 127.0.0.1), an attacker could get to administrations running on an alternate port on a similar server, which would ordinarily not be uncovered freely.

Along these lines, we encourage our clients to audit this setup setting to guarantee that there are no vulnerabilities are presented,” Zimbra added.


Share It On:

Recent Posts

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future Plans

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future

Share It On:22nd November 2024, Kathmandu Liberty Energy Company Limited is gearing up to issue rights shares starting December 1,

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Share It On:22nd November 2024, Kathmandu Asha Laghubitta Bittiya Sanstha is holding its 8th Annual General Meeting (AGM) today, November

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and Reproductive Health Policies

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and

Share It On: 21st November, Kathmandu Nepal is set to host the 6th Asian Population Conference from November 27 to

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Share It On:21st November, Kathmandu Kumari Bank Limited has officially declared its intention to sell a substantial number of promoter

Up to NPR 150 Cashback on Nepal Telecom and Ncell Services with Namaste Pay

Up to NPR 150 Cashback on Nepal Telecom and Ncell

Share It On:21st November, Kathmandu Namaste Pay has unveiled an exciting new campaign to reward its users with cashback on

Ncell introduces innovative feature, enabling customers to convert voice to data or data to voice services

Ncell introduces innovative feature, enabling customers to convert voice to

Share It On:21st November, Kathmandu Ncell customers can enjoy an innovative feature that allows them to convert or exchange remaining