Cybersecurity researchers have discovered multiple security vulnerabilities in Zimbra email collaboration software that could be potentially exploited to compromise email accounts by sending a malicious message and even achieve a full takeover of the mail server when hosted on a cloud infrastructure.
The flaws — tracked as CVE-2021-35208 and CVE-2021-35208 — were discovered and reported in Zimbra 8.8.15 by researchers from code quality and security solutions provider SonarSource in May 2021. Mitigations have since been released in Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16.
- CVE-2021-35208 (CVSS score: 5.4) - Stored XSS Vulnerability in ZmMailMsgView.java
- CVE-2021-35209 (CVSS score: 6.1) - Proxy Servlet Open Redirect Vulnerability
"A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization," said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses. "As a result, an attacker would gain unrestricted access to all sent and received emails of all employees."
Zimbra is a cloud-based email, calendar, and collaboration suite for enterprises and is available both as an open-source version and a commercially supported version with additional features such as a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook, among others. It's used by over 200,000 businesses across 160 countries.
CVE-2021-35208 concerns a cross-site scripting (XSS) vulnerability in the Calendar Invite component that can be triggered in a victim's browser upon viewing a specially-crafted email message containing a JavaScript payload that, when executed, grants access to the target's entire inbox as well as the web client session, which can then be abused to launch further attacks.
The problem stems from the fact that the Zimbra web clients — an Ajax-based desktop client, a static HTML client, and a mobile-optimized client — perform the sanitization of the HTML content of incoming emails on the server-side and in a manner that enables a bad actor to inject rogue JavaScript code.
"The downside of using server-side sanitization is that all three clients may transform the trusted HTML of an email afterwards to display it in their unique way," Scannell said. "Transformation of already sanitized HTML inputs can lead to corruption of the HTML and then to XSS attacks."
On the other hand, CVE-2021-35208 relates to a server side request forgery (SSRF) attack wherein an authenticated member of an organization can chain the flaw with the aforementioned XSS issue to redirect the HTTP client used by Zimbra to an arbitrary URL and extract sensitive information from the cloud, including Google Cloud API access tokens and IAM credentials from AWS, leading to its compromise.
"Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet," the company noted in its advisory. "If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly."