Zimbra bug allows stealing email logins with no user interaction

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/zimbra-bug-allows-stealing-email-logins-with-no-user-interaction/

Technical details have emerged on a high-severity vulnerability affecting certain versions of the Zimbra email solution that hackers could exploit to steal logins without authentication or user interaction.

The security issue is currently tracked as CVE-2022-27924 and impacts Zimbra releases 8.8.x and 9.x for both open-source and the commercial versions of the platform.

A fix has been published in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1, available since May 10, 2022. Zimbra is often used by organizations worldwide, including those in the government, financial, and educational sectors.

 

[[correlate]]

At Sonar, we are studying real-world vulnerabilities to improve our code analyzers, and to help the open-source community to secure their projects. To uncover and understand complex vulnerabilities in high-profile applications, our researchers need to take the perspective of real-world attackers. By sharing our findings from this perspective, we also aim to provide useful insights and learnings to the community.

Unrar Path Traversal Vulnerability affects Zimbra Mail

We discovered a vulnerability in Zimbra Enterprise Email that allows an unauthenticated, remote attacker fully take over Zimbra instances via a flaw in unrar.

blog.sonarsource.com