Zimbra Flaw

Zimbra offers the most innovative messaging experience, connecting end-users to the information and activity in personal clouds. It is used by over 200,000 businesses and over a thousand government & financial institutions to exchange emails between millions of users every day.

Experts from SonarSource have disclosed two vulnerabilities in the open-source Zimbra code. These vulnerabilities could allow an unauthenticated attacker to compromise a targeted organization’s Zimbra webmail server.

Therefore, an attacker would gain unrestricted access to all sent and received emails of all employees.

Flaws That Took Over Zimbra Server

  • CVE-2021-35208 (CVSS score: 5.4) – Cross-Site Scripting bug
  • CVE-2021-35209 (CVSS score: 6.1) – Server-Side Request Forgery vulnerability

Experts say that a Cross-Site Scripting (XSS) bug(CVE-2021-35208 ) can be triggered in a victim’s browser when viewing an incoming email.

The malicious email would include a crafted JavaScript payload that, when executed, would provide an attacker with access to all emails of the victim, in addition to their webmail session. In this case, other features of Zimbra could be accessed and further attacks could be initiated.

Server-Side Request Forgery vulnerability (CVE-2021-35209), bypasses an allow-list that leads to a powerful Server-Side Request Forgery. Researchers mention that this can be exploited by an authenticated member of an organization with any permission role.

The process clearly explains that the problem arises from the fact that the Zimbra web clients, an Ajax-based desktop client, a static HTML client, and a mobile-optimized client, perform the sanitization of the HTML content of incoming emails on the server-side and in a manner that enables a bad actor to inject rogue JavaScript code.

The SSRF is Powerful For Two Reasons:

SSRF vulnerabilities have become an increasingly dangerous bug class, especially for cloud-native applications. It is powerful since,

  • Arbitrary headers can be set in the outgoing request, and
  • The response can be read.

If a Zimbra instance is hosted on a Cloud provider which has a metadata API reachable from the VM the server is hosted on, highly sensitive information could be leaked.


Security experts say that SSRF attacks can be mitigated by disallowing the HTTP request handler to follow redirects. It is advisable to validate the value of the Location header of the response and create a new request after it has been validated. This would also protect against Open Redirect vulnerabilities.

The XSS attack also has been fixed by removing the code that transformed the form tag altogether.

Patch Available

Zimbra team fixed all the issues with Patch 18 for the 8.8.15 series and Patch 16 for the 9.0 series. Prior versions of both branches are vulnerable.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.