Zimbra has addressed two vulnerabilities in its webmail server that could allow threat actors to gain unrestricted access to employee’s email accounts. This could lead to attackers having access to confidential information and documents, email contacts, and information, and can be used to conduct phishing and other malicious email campaigns.

The vulnerabilities could be chained together to allow an attacker to extract tokens and credentials from instances within the cloud infrastructure. An attacker could craft a malicious email with a malicious JavaScript code that will be triggered when a user opens the email. If opened, the payload will interact with Zimbra’s web interface to automatically exploit the second flaw in the background, without further user interaction. Successful exploitation could allow an unauthenticated attacker to be able to access the webmail server of an organization and gain access to all employee emails.


A. Nature of the Vulnerabilities

The following vulnerabilities were described as:


A cross-site scripting (XSS) vulnerability that could allow an attacker to execute arbitrary code when the victim views an incoming email by inserting an executable JavaScript code inside the element attributes into the html. Successful exploitation will grant attackers access to the victim’s email account and webmail session.


A server-side request forgery (SSRF) vulnerability was discovered in ProxyServlet.java in the /proxy servlet in Zimbra. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).


B. List of Vulnerable Systems

Vulnerable Zimbra Webmail Server includes:

  • Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23
  • Zimbra Collaboration Suite 9.x before 9.0.0 Patch 16. iPadOS


C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Administrators are urged to test and apply the latest and stable version of Zimbra to mitigate from known security threats.
  • Having a good backup of systems before patching is a good practice, in case there are anomalies and issues encountered.
  • As of July 31, Zimbra will no longer be releasing subsequent patch releases for versions 8.8.0 and 9.0.0 of the operating system listed below, all of which have reached their end-of-life (EOL):
    • Ubuntu 14.04
    • CentOS and RHEL 6
    • Oracle 6
  • For additional information, kindly refer to the official Advisory of Zimbra (https://blog.zimbra.com/2020/10/new-zimbra-patches-9-0-0-patch-8-and-8-8-15-patch-15/)