Groupware Zimbra: Updates patch several security vulnerabilities

The developers of the groupware Zimbra have released updated software packages. They close several security vulnerabilities at once. IT managers should apply the updates quickly.

The changelogs for the now available versions 10.0.18 and 10.1.13 indicate a larger number of security vulnerabilities that have been closed. For version 10.0.18, these are:

• AntiSamy updated to version 1.7.8 and stored cross-site scripting vulnerability removed
• Path check introduced into the ExportAndDeleteItemsRequest API to prevent insecure file exports
• A CSRF enforcement issue in certain authentication flows addressed
• Local file inclusion vulnerability without prior authentication resolved in RestFilter
• Nginx module updated to comply with security standards and compliance

Version 10.1.13 closes even more security vulnerabilities, in addition to the aforementioned ones:

• Hardcoded Flickr API credentials removed from the Flickr Zimlet and these were withdrawn
• Stored cross-site scripting vulnerability in the Zimbra Mail client for emails with PDF attachments corrected
• Input and “null” checks added in the PreAuthServlet to prevent disclosure of internal errors through malformed requests
• An admin account enumeration issue resolved
• Apache HttpClient library updated to version 4.5.14

Detailed information not available

The developers are not yet providing exact details on the closed security vulnerabilities and the CVE entries. However, vulnerabilities in Zimbra are often target of attacks by cybercriminals – also because some government agencies, for example in the EU, work with the groupware Zimbra.

However, the CERT-Bund of the Federal Office for Information Security (BSI) rates the severity of the vulnerabilities up to a CVSS score of 9.8, i.e., risk “critical.” The analysts assume that attackers can use the security vulnerabilities to execute arbitrary malicious code and bypass security measures, among other things.

(dmk)