Page 2 of 4

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Thu Jan 25, 2018 12:20 pm
by Blueberry
jorgedlcruz wrote:Hi guys,
I will ask Engineering if they can help us to provide some clarity on the issue.

Thanks
Have you ?

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Thu Jan 25, 2018 1:24 pm
by Klug
The point was raised to Zimbra (France) and this forum (and Zeta ML) more than 10 days ago.

The answer should have been given in less than 15 minutes.
Anyone working on "support" or "product management" or "dev management" should know if a supported version of their software has issues with vulnerabilities disclosed several months ago.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Thu Jan 25, 2018 2:29 pm
by phoenix
Blueberry wrote:Have you ?
It's taken thirteen days to get this far, you surely weren't expecting a quick answer were you? :o

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Thu Jan 25, 2018 2:41 pm
by phoenix
jorgedlcruz wrote:I will ask Engineering if they can help us to provide some clarity on the issue.
I'll join Klug on this issue, surely this should have been posted (at the very least) in these forums as soon as this problem was seen by Zimbra. Have you actually told NE customers about this or is it just the forums that have been left out in the cold? There are users of your product that depend on it for their livelihoods, how can they protect that if you a) don't bother notifying them about possible security problems and b) give them some indication and follow-up on the status of the work on this problem?

Is there anyone responsible for the forums these days and why have they been abandoned by ZImbra? Many of your NE customers visit these forums as well as the OSS users and it seems that Zimbra (i.e. Synacor) caouldn't give a fig about what goes on here, shame on them for not understanding and wasting this vital resource for your users. We test the products for you, report bugs and problems and as far as I can see we just get a kick in the teeth for our efforts. Although I guess, as usual, this post will be a total waste of time and will fall on deaf ears. If I ran my business and treated my customers like Zimbra runs these forums and treats it's users I'd have been bankrupt a long time ago.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Thu Jan 25, 2018 6:36 pm
by jorgedlcruz
Hi guys,
I've escalated this issue again and as soon as I have more information I will let you know.

Thank you.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Jan 26, 2018 10:06 am
by Blueberry
Hi everyone,

@Phoenix, you got me laughing ! It's good to laugh these days, when you pay tens of thousands of bucks for the ZCS NE each year and get absolutely NO support and nos bug fixes at all from Zimbra !
So you're right, I wasn't expecting any answer at all.

Zimbra already owes us half of our 2017 yearly subscription as they didn't provide us any support nor any bug fixes since August 6th (ZCS 8.7.11). Any soon, if this situation does not improve, this will have to go to court.

Zimbra guys will soon meet Devon Null on top of the Kilimandjaro escalating like that for months now ! :shock: :lol:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 30, 2018 12:23 pm
by Blueberry
jorgedlcruz wrote:Hi guys,
I've escalated this issue again and as soon as I have more information I will let you know.

Thank you.
5 days later and still no feedback. Who's leading the development of Zimbra at Synacor ?

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 30, 2018 1:43 pm
by scantec
Seems no one is - this is crap and irresponsible support - don't be surprised of paying customers abandoning zimbra

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 30, 2018 3:16 pm
by jorgedlcruz
Hi guys,
Zimbra is going to release a Patch 9 for ZCS 8.6 by latest February 9th. We are working on a solution for Customers running Zimbra Collaboration 8.7 as well.

As soon as we have the Release Notes for the Patch 9 for ZCS 8.6 I will publish it here, same for 8.7.11 Patch 1.

Best regards

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 30, 2018 3:51 pm
by jorgedlcruz
Already changed to P1 by Engineering and the team is working on it as well, I can't confirm that one will be included in this upcoming Patch. We can keep that conversation where it belongs > on the other topic for it.