CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
Blueberry
Posts: 3
Joined: Thu Jan 25, 2018 12:14 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Blueberry » Thu Jan 25, 2018 12:20 pm

jorgedlcruz wrote:Hi guys,
I will ask Engineering if they can help us to provide some clarity on the issue.

Thanks


Have you ?


Klug
Elite member
Elite member
Posts: 2251
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Thu Jan 25, 2018 1:24 pm

The point was raised to Zimbra (France) and this forum (and Zeta ML) more than 10 days ago.

The answer should have been given in less than 15 minutes.
Anyone working on "support" or "product management" or "dev management" should know if a supported version of their software has issues with vulnerabilities disclosed several months ago.
phoenix
Ambassador
Ambassador
Posts: 25243
Joined: Fri Sep 12, 2014 9:56 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby phoenix » Thu Jan 25, 2018 2:29 pm

Blueberry wrote:Have you ?
It's taken thirteen days to get this far, you surely weren't expecting a quick answer were you? :o
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
phoenix
Ambassador
Ambassador
Posts: 25243
Joined: Fri Sep 12, 2014 9:56 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby phoenix » Thu Jan 25, 2018 2:41 pm

jorgedlcruz wrote:I will ask Engineering if they can help us to provide some clarity on the issue.
I'll join Klug on this issue, surely this should have been posted (at the very least) in these forums as soon as this problem was seen by Zimbra. Have you actually told NE customers about this or is it just the forums that have been left out in the cold? There are users of your product that depend on it for their livelihoods, how can they protect that if you a) don't bother notifying them about possible security problems and b) give them some indication and follow-up on the status of the work on this problem?

Is there anyone responsible for the forums these days and why have they been abandoned by ZImbra? Many of your NE customers visit these forums as well as the OSS users and it seems that Zimbra (i.e. Synacor) caouldn't give a fig about what goes on here, shame on them for not understanding and wasting this vital resource for your users. We test the products for you, report bugs and problems and as far as I can see we just get a kick in the teeth for our efforts. Although I guess, as usual, this post will be a total waste of time and will fall on deaf ears. If I ran my business and treated my customers like Zimbra runs these forums and treats it's users I'd have been bankrupt a long time ago.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
jorgedlcruz
Zimbra Employee
Zimbra Employee
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Thu Jan 25, 2018 6:36 pm

Hi guys,
I've escalated this issue again and as soon as I have more information I will let you know.

Thank you.
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
Blueberry
Posts: 3
Joined: Thu Jan 25, 2018 12:14 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Blueberry » Fri Jan 26, 2018 10:06 am

Hi everyone,

@Phoenix, you got me laughing ! It's good to laugh these days, when you pay tens of thousands of bucks for the ZCS NE each year and get absolutely NO support and nos bug fixes at all from Zimbra !
So you're right, I wasn't expecting any answer at all.

Zimbra already owes us half of our 2017 yearly subscription as they didn't provide us any support nor any bug fixes since August 6th (ZCS 8.7.11). Any soon, if this situation does not improve, this will have to go to court.

Zimbra guys will soon meet Devon Null on top of the Kilimandjaro escalating like that for months now ! :shock: :lol:
Blueberry
Posts: 3
Joined: Thu Jan 25, 2018 12:14 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Blueberry » Tue Jan 30, 2018 12:23 pm

jorgedlcruz wrote:Hi guys,
I've escalated this issue again and as soon as I have more information I will let you know.

Thank you.


5 days later and still no feedback. Who's leading the development of Zimbra at Synacor ?
User avatar
scantec
Posts: 44
Joined: Mon May 05, 2014 11:55 am

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby scantec » Tue Jan 30, 2018 1:43 pm

Seems no one is - this is crap and irresponsible support - don't be surprised of paying customers abandoning zimbra
User avatar
jorgedlcruz
Zimbra Employee
Zimbra Employee
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Tue Jan 30, 2018 3:16 pm

Hi guys,
Zimbra is going to release a Patch 9 for ZCS 8.6 by latest February 9th. We are working on a solution for Customers running Zimbra Collaboration 8.7 as well.

As soon as we have the Release Notes for the Patch 9 for ZCS 8.6 I will publish it here, same for 8.7.11 Patch 1.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
User avatar
jorgedlcruz
Zimbra Employee
Zimbra Employee
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Tue Jan 30, 2018 3:51 pm

Already changed to P1 by Engineering and the team is working on it as well, I can't confirm that one will be included in this upcoming Patch. We can keep that conversation where it belongs > on the other topic for it.
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 11 guests