Ddos 
Zimbra has rolled out a significant security update for its collaboration suite, releasing Zimbra 10.1.16 to address a spectrum of vulnerabilities ranging from front-end script injection to back-end data manipulation. The maintainers are issuing a “strong recommendation” for all administrators and users to upgrade immediately, citing both improved stability and critical security enhancements.
The update targets several classic web attack vectors, closing loop-holes that could allow attackers to hijack sessions or query internal directories.
The patch notes highlight three distinct “injection” style vulnerabilities that have been squashed in this release.
- XSS in Webmail: The update resolves a Cross-Site Scripting (XSS) vulnerability affecting both Zimbra Webmail and Briefcase file sharing. XSS flaws typically allow attackers to execute malicious scripts in a victim’s browser, often used to steal session cookies or perform actions on behalf of the user.
- LDAP Injection: On the backend, the team fixed an “authenticated LDAP injection” flaw. By implementing “improved input sanitization,” Zimbra has closed a gap that could have allowed authorized users to manipulate Lightweight Directory Access Protocol queries, potentially accessing unauthorized user data.
- XXE in SOAP: The release also addresses an XML External Entity (XXE) vulnerability located in the EWS SOAP endpoint. XXE attacks are particularly dangerous as they can often be used to read local system files or force the server to make requests to internal systems (SSRF).
Beyond specific bug fixes, the update hardens the application’s general defenses. The release has “strengthened CSRF protection with proper token validation,” making it much harder for attackers to trick users into unknowingly submitting malicious requests.
Security often comes at the cost of convenience, but this update attempts to balance both. The team noted that they have “restored PDF preview functionality in Classic UI,” but explicitly mentioned this was done with new “security safeguards” in place. Additionally, the update restores “mail rendering stability while maintaining existing security protections,” ensuring that emails look correct without opening the door to malicious content.
With fixes for XSS, XXE, and LDAP injection packed into a single release, Zimbra 10.1.16 is a mandatory update for any organization looking to keep its email infrastructure secure and stable.
Related Posts:
- Zimbra Issues Emergency Patch for Critical SSRF Vulnerability in Chat Proxy Configuration
- Critical Zimbra Flaw Fixed: Patch Addresses Multiple Stored XSS and Unauthenticated LFI in Mail Client
- Zimbra Email Servers Under Attack: CISA Flags CVE-2024-45519 as Actively Exploited
- Active Exploits Target Zimbra Collaboration: Over 19K Systems Vulnerable to CVE-2024-45519
- PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
