Attackers may hijack Zimbra’s server

Researchers have found numerous security flaws in Zimbra email collaboration software, the exploitation of which may lead to email account compromise and even a full hijacking of the mail server. The news about the flaws came after cybersecurity experts carefully examined the software.


Zimbra is a cloud-based email, calendar, and collaboration suite designed for corporate use, with extra capabilities such as a proprietary connector API to synchronize mail, calendar, and contacts to Microsoft Outlook. The software has both, a commercial and an open source version, and is utilized worldwide in over 160 countries.

In May 2021, researchers from SonarSource, a code quality and security solutions company, found and reported two separate vulnerabilities in Zimbra 8.8.15 — CVE-2021-35208 and CVE-2021-35208. Patches for them have been released with Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16.

However, a deeper research on the flaws has shown that if a malicious actor decides to exploit them, he can get access to a targeted organization’s whole Zimbra webmail server. As a consequence, an attacker would have full access to all emails that have been sent and received by the organization’s workers.

As per the details that are available, the CVE-2021-35208 vulnerability is an XSS flaw that resides in the Calendar Invite component. An attacker can exploit this vulnerability by sending a malicious email that is crafted to contain a JavaScript payload, which, when executed, allows the attacker to gain access to the target’s entire inbox as well as the web client session, which they can then use to launch further attacks.

To understand the problem, we must look at all three of the Zimbra web clients, which are Ajax-based, static HTML, and mobile-optimized. The issue is that all three of these clients perform sanitization of incoming email messages on the server-side, which gives an attacker the ability to introduce malicious JavaScript code.

CVE-2021-35209  is a vulnerability that еxists on the server-side request forgery (SSRF). An authenticated member of an organization can exploit this flaw to redirect Zimbra’s HTTP client and obtain sensitive information, including Google Cloud API access tokens and AWS IAM credentials.

More details and security guidelines about the flaws are available in the official Zimbra’s advisory.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment