Zimbra, an open-source email and collaboration platform, has released a security upgrade to fix a discovered Cross-Site Scripting (XSS) zero-day vulnerability in its previous version.

Version affected: Zimbra 8.8.15

Security Risks

A malicious actor could exploit the zero-day vulnerability in the email platform to steal emails, manipulate cookies to allow persistent access to a mailbox, send phishing emails from the compromised account and enable malware download on a system.

Recommended Action

The National Cyber Security Authority recommends all users and administrators to:

• upgrade to Zimbra 9.0.0;

• before any update task, ensure you have backup for your data.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

Zimbra Collaboration 9.0.0 GA Release

Volexity Blog