CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
Klug
Elite member
Elite member
Posts: 2237
Joined: Mon Dec 16, 2013 11:35 am
Contact:

CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Fri Jan 12, 2018 9:40 am

Hello all,

it's out in the bugtraq mailing list.
I don't know where to post it in the forum, so here it goes.

In the announcement mail, we learn that Zimbra/Synacor was notified last may.
We also learn any version before 8.8 beta 2 might be vulnerable.
We learn that the security fix was done on december 12 and guidances released to us (customers/users).

However...

There nothing here: https://wiki.zimbra.com/wiki/Security_Center
There is something here: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (in other words, you have to check several wiki pages to find informations)
The bug (107925) is obviously private.
8.6 that is supposed to be under "Technical Guidance" and "General Support" doesn't get a patch (https://blog.zimbra.com/2017/08/zimbras ... ion-8-6-x/).

The last point is the most problematic to me.
On the wiki page (one of the "security pages", as there are several with different informations), we can find out about several security issues discovered since 2016 (mostly XSS).
8.6.0 doesn't get a single patch for them.
Are the issues related to 8.7+ only?

Can someone from Zimbra/Synacor make a clear statement on all this?


Klug
Elite member
Elite member
Posts: 2237
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Fri Jan 12, 2018 12:51 pm

Checked a little further (thanks to Malte), 8.6 is actually vulnerable (the bad code is in).

This is insane.

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 9 guests