CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
Blueberry
Posts: 19
Joined: Thu Jan 25, 2018 12:14 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Blueberry »

jorgedlcruz wrote:Hi guys,
I will ask Engineering if they can help us to provide some clarity on the issue.

Thanks
Have you ?
Klug
Ambassador
Ambassador
Posts: 2741
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

The point was raised to Zimbra (France) and this forum (and Zeta ML) more than 10 days ago.

The answer should have been given in less than 15 minutes.
Anyone working on "support" or "product management" or "dev management" should know if a supported version of their software has issues with vulnerabilities disclosed several months ago.
phoenix
Ambassador
Ambassador
Posts: 27263
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by phoenix »

Blueberry wrote:Have you ?
It's taken thirteen days to get this far, you surely weren't expecting a quick answer were you? :o
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
phoenix
Ambassador
Ambassador
Posts: 27263
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by phoenix »

jorgedlcruz wrote:I will ask Engineering if they can help us to provide some clarity on the issue.
I'll join Klug on this issue, surely this should have been posted (at the very least) in these forums as soon as this problem was seen by Zimbra. Have you actually told NE customers about this or is it just the forums that have been left out in the cold? There are users of your product that depend on it for their livelihoods, how can they protect that if you a) don't bother notifying them about possible security problems and b) give them some indication and follow-up on the status of the work on this problem?

Is there anyone responsible for the forums these days and why have they been abandoned by ZImbra? Many of your NE customers visit these forums as well as the OSS users and it seems that Zimbra (i.e. Synacor) caouldn't give a fig about what goes on here, shame on them for not understanding and wasting this vital resource for your users. We test the products for you, report bugs and problems and as far as I can see we just get a kick in the teeth for our efforts. Although I guess, as usual, this post will be a total waste of time and will fall on deaf ears. If I ran my business and treated my customers like Zimbra runs these forums and treats it's users I'd have been bankrupt a long time ago.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

Hi guys,
I've escalated this issue again and as soon as I have more information I will let you know.

Thank you.
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Blueberry
Posts: 19
Joined: Thu Jan 25, 2018 12:14 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Blueberry »

Hi everyone,

@Phoenix, you got me laughing ! It's good to laugh these days, when you pay tens of thousands of bucks for the ZCS NE each year and get absolutely NO support and nos bug fixes at all from Zimbra !
So you're right, I wasn't expecting any answer at all.

Zimbra already owes us half of our 2017 yearly subscription as they didn't provide us any support nor any bug fixes since August 6th (ZCS 8.7.11). Any soon, if this situation does not improve, this will have to go to court.

Zimbra guys will soon meet Devon Null on top of the Kilimandjaro escalating like that for months now ! :shock: :lol:
Blueberry
Posts: 19
Joined: Thu Jan 25, 2018 12:14 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Blueberry »

jorgedlcruz wrote:Hi guys,
I've escalated this issue again and as soon as I have more information I will let you know.

Thank you.
5 days later and still no feedback. Who's leading the development of Zimbra at Synacor ?
User avatar
scantec
Advanced member
Advanced member
Posts: 72
Joined: Mon May 05, 2014 11:55 am

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by scantec »

Seems no one is - this is crap and irresponsible support - don't be surprised of paying customers abandoning zimbra
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

Hi guys,
Zimbra is going to release a Patch 9 for ZCS 8.6 by latest February 9th. We are working on a solution for Customers running Zimbra Collaboration 8.7 as well.

As soon as we have the Release Notes for the Patch 9 for ZCS 8.6 I will publish it here, same for 8.7.11 Patch 1.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

Already changed to P1 by Engineering and the team is working on it as well, I can't confirm that one will be included in this upcoming Patch. We can keep that conversation where it belongs > on the other topic for it.
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Post Reply