ZCS FOSS 10.1.10 - Security fixes and embargoed commits

[adrian.gibanel.btactic]

ZCS FOSS 10.1.10 - Security fixes and embargoed commits

This thread will study ZCS NE 10.1.10 (released on July 18, 2025) security fixes and their ZCS FOSS 10.1.10 counterpart commits.

Security fixes (From 10.1.10 NE)

• Access to the GraphiQL IDE at /modern/graphiql has been disabled. (NE-ONLY. DISCARDED)
• The @babel/runtime package has been upgraded to version 7.27.6 to address a ReDoS vulnerability. (NE-ONLY. DISCARDED)
• Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the ResetPasswordRequest SOAP operation by enforcing CSRF token validation. Suspected to be an embargoed commit.
• A security fix has been applied to require a valid auth token before allowing 2FA modifications, preventing unauthorized changes. As a big part of what Zimbra needs to handle 2FA is outside of the NE-only 2FA extension I am not actually sure if this is embargoed or NE-ONLY.
• The Rsync package has been upgraded to version 3.4.1 to fix multiple vulnerabilities. (1/2) ZBUG-4670: Upgraded rsync to 3.4.1 from packages 10.1.10 tag. (2/2) ZBUG-4670: Updated zimbra-core-components for rsync from packages 10.1.10 tag.

Help needed
In order to recreate ZCS FOSS 10.1.10 as similar to ZCS NE 10.1.0 in a timely manner we need to figure out ways to either recreate these security fixes counterpart commits or find them in the repos (I might have overlooked them after all):

• Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the ResetPasswordRequest SOAP operation by enforcing CSRF token validation.
• A security fix has been applied to require a valid auth token before allowing 2FA modifications, preventing unauthorized changes.

Thank you very much!

Extra resources
- You can check/update: Zimbra FOSS CVE commits wiki page where these commits can be tracked.

---

Update: As of 2025 07 25 the two sections below can be ignored because those missing commits has been pushed to the FOSS repos.

Build breakage
As you might know builds from ZCS FOSS 10.1.8 cannot be built properly.
So you need to include/cherry-pick ZCS-17098 Added new LC attribute for path depth max commit from zm-mailbox development branch so that it builds ok.

Additional commit
In addition to the above you might also want to include this missing commit from ZCS NE 10.1.8 which hasn't been pushed to the 10.1.8 tag but to the development branch: ZCS-17206 : handled attribute check errors.

[umashankar.avagadda]

The Build breakage and Additional commit issues have been fixed. Please verify.

[adrian.gibanel.btactic]

The Build breakage and Additional commit issues have been fixed. Please verify.

- zm-mailbox 10.1.8 tag. ZCS-17098 (Build breakage commit). OK.
- zm-mailbox 10.1.8 tag. ZCS-17206 (Additional commit). OK.
- zm-mailbox 10.0.14 tag. ZCS-17098 (Build breakage commit). OK.
- zm-mailbox 10.0.14 tag. ZCS-17206 (Additional commit). It's not there but it's ok because it's somehow already integrated in the code.

- zm-mailbox 10.1.9 tag. ZCS-17098 (Build breakage commit). Tag not present but it's not a problem because build inherits it from smaller tag.
- zm-mailbox 10.1.9 tag. ZCS-17206 (Additional commit). Tag not present but it's not a problem because build inherits it from smaller tag.
- zm-mailbox 10.0.15 tag. ZCS-17098 (Build breakage commit). Tag not present but it's not a problem because build inherits it from smaller tag.
- zm-mailbox 10.0.15 tag. ZCS-17206 (Additional commit). Tag not present but it's not a problem because build inherits it from smaller tag.

- zm-mailbox 10.1.10 tag. ZCS-17098 (Build breakage commit). OK.
- zm-mailbox 10.1.10 tag. ZCS-17206 (Additional commit). WRONG. This commit has not been pushed to 10.1.10. If somehow it has been removed from 10.1.10 there should be a revert commit there.
- zm-mailbox 10.0.16 tag. ZCS-17098 (Build breakage commit). Tag not present but it's not a problem because build inherits it from smaller tag.
- zm-mailbox 10.0.16 tag. ZCS-17206 (Additional commit). Tag not present but it's not a problem because build inherits it from smaller tag.

- zm-mailbox 9.0.0.p45 tag. ZCS-17098 (Build breakage commit). WRONG. No tag has been pushed.
- zm-mailbox 9.0.0.p45 tag. ZCS-17206 (Additional commit). WRONG. No tag has been pushed. (Not sure if this additional commit made into ZCS NE 9.0.0.p45 though).

- zm-mailbox 9.0.0.p46 tag. ZCS-17098 (Build breakage commit). WRONG. It cannot inherit from smaller tag because that smaller tag does not exist.
- zm-mailbox 9.0.0.p46 tag. ZCS-17206 (Additional commit). WRONG. It cannot inherit from smaller tag because that smaller tag does not exist.

[umashankar.avagadda]

- zm-mailbox 10.1.10 tag. ZCS-17206 (Additional commit). WRONG. This commit has not been pushed to 10.1.10. If somehow it has been removed from 10.1.10 there should be a revert commit there.

-> ZCS-17206 changes are now included in 10.1.10.

- zm-mailbox 9.0.0.p45 tag. ZCS-17098 (Build breakage commit). WRONG. No tag has been pushed.

-> The 9.0.0.p45 tag has now been published.

- zm-mailbox 9.0.0.p45 tag. ZCS-17206 (Additional commit). WRONG. No tag has been pushed. (Not sure if this additional commit made into ZCS NE 9.0.0.p45 though).

-> This change is not planned for ZCS 9.0.0

- zm-mailbox 9.0.0.p46 tag. ZCS-17098 (Build breakage commit). WRONG. It cannot inherit from smaller tag because that smaller tag does not exist.

-> This is fine, as the 9.0.0.p45 tag has now been published.

- zm-mailbox 9.0.0.p46 tag. ZCS-17206 (Additional commit). WRONG. It cannot inherit from smaller tag because that smaller tag does not exist.

-> This change is not planned for ZCS 9.0.0

[adrian.gibanel.btactic]

The Build breakage and Additional commit issues have been fixed. Please verify.

( Second pass. )

- zm-mailbox 10.1.10 tag. ZCS-17206 (Additional commit). OK.

- zm-mailbox 9.0.0.p45 tag. ZCS-17098 (Build breakage commit). OK.
- zm-mailbox 9.0.0.p45 tag. ZCS-17206 (Additional commit). Ignored. It was not actually part of ZCS NE 9.0.0.p45.

- zm-mailbox 9.0.0.p46 tag. ZCS-17098 (Build breakage commit). Tag not present but it's not a problem because build inherits it from smaller tag.
- zm-mailbox 9.0.0.p46 tag. ZCS-17206 (Additional commit). Ignored. It was not actually part of ZCS NE 9.0.0.p45.

So, everything is good so far.

---

Regarding the additional commit which was missing I wonder if we have to be concerned from older commits that were supposed to end up in FOSS repos and didn't.
I mean, community usually focus on security changes. This additional commit isn't a NE-ONLY commit but somehow it was almost lost.

---

@umashankar.avagadda: Make sure to include both commits into your internal FOSS branches/repos so that in the next FOSS release in the Github repos they are not lost. Thank you.

And, well, also thank you for fixing those old messed up versions in the Github repos. This was a headache for the community.

[adrian.gibanel.btactic]

ZCS NE 10.0.16 and ZCS NE 10.1.10 were released on July 18, 2025.

As of today this is: 90 days of embargo which it has not been lifted yet.

[adrian.gibanel.btactic]

Help needed
In order to recreate ZCS FOSS 10.1.10 as similar to ZCS NE 10.1.0 in a timely manner we need to figure out ways to either recreate these security fixes counterpart commits or find them in the repos (I might have overlooked them after all):

• Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the ResetPasswordRequest SOAP operation by enforcing CSRF token validation.
• A security fix has been applied to require a valid auth token before allowing 2FA modifications, preventing unauthorized changes.

It seems I have overlooked the release notes being updated to link to the CVEs.

---

- Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the ResetPasswordRequest SOAP operation by enforcing CSRF token validation is: CVE-2025-54390 which its description is:

A Cross-Site Request Forgery (CSRF) vulnerability exists in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) when the zimbraFeatureResetPasswordStatus attribute is enabled. An attacker can exploit this by tricking an authenticated user into visiting a malicious webpage that silently sends a crafted SOAP request to reset the user's password. The vulnerability stems from a lack of CSRF token validation on the endpoint, allowing password resets without the user's consent.

- A security fix has been applied to require a valid auth token before allowing 2FA modifications, preventing unauthorized changes is: CVE-2025-54391 which its description is:

A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party authenticator app or email-based 2FA) without presenting a valid authentication token or proving access to an already configured 2FA method. This bypasses 2FA and results in unauthorized access to accounts that are otherwise protected by 2FA.

---

Once I have read those detailed descriptions this is much more understandable.

- CVE-2025-54391 regarding 2FA is probably NE only and I will have to create an specific fix for Maldua's Zimbra 2FA if my codebase is affected. It should be quite straight-forward.
- CVE-2025-54390 regarding ResetPasswordRequest, well, now I can start to check what needs to be fixed in that part of the code by checking zimbraFeatureResetPasswordStatus. I might need some help from the community regarding the CSRF part though.