In a critical update for email server administrators, A released version 10.1.16, addressing high-severity security flaws, including cross-site scripting (XSS), XML external entity (XXE) injection, and LDAP injection.
The patch, rated high severity with high deployment risk, urges immediate upgrades to bolster defenses against these threats. The fixes address exploitable weaknesses in webmail, authentication, and API endpoints.
The release notes highlight restored stability in mail rendering without compromising protections, a direct response to prior issues.
Engineers fixed an XSS vulnerability in the Zimbra Webmail and Briefcase file-sharing features. Attackers could have injected malicious scripts via unsanitized inputs, potentially hijacking sessions or stealing data from logged-in users. Input validation now blocks such payloads effectively.
Another key patch targets authenticated LDAP injection. Flawed input handling in LDAP queries allowed attackers with valid credentials to manipulate search filters, risking unauthorized data extraction or privilege escalation.
Developers implemented stricter sanitization, limiting inputs to safe parameters and escaping special characters such as asterisks and parentheses that can enable injection attacks.
The XXE vulnerability in the Exchange Web Services (EWS) SOAP endpoint posed risks of server-side request forgery and file disclosure. Malicious XML payloads could trick the parser into fetching external resources or reading local files.
This was resolved by turning off external entity processing and enforcing secure XML parsing libraries, a standard defense aligned with OWASP guidelines.
Additional hardening includes restoring the PDF preview in the Classic UI, securing it against prior exploits, and bolstering CSRF protections through rigorous token validation.
Vulnerability Table
| Vulnerability | Affected Component |
|---|---|
| XSS | Zimbra Webmail, Briefcase file sharing |
| LDAP Injection | Authenticated LDAP queries |
| XXE | EWS SOAP endpoint |
| CSRF | Web apps (Modern/Classic) |
These changes prevent unauthorized actions across modern and classic web apps, ensuring tokens are unique, time-bound, and verified on every state-changing request.
Beyond security, the patch delivers technical upgrades to the Backup & Restore module, emphasizing efficiency without breaking backward compatibility.
Deduplication now spans internal and external S3 storage, slashing redundant data by default for new backups. Zstandard (zstd) compression optimizes deduplicated sets, cutting resource demands while boosting ratios.
Optional cross-session deduplication reuses unchanged blocks across runs, yielding up to 50% faster backups and 45% less storage usage.
Modern Web App refinements include Chrome-only email translation with auto-detection, smarter search that combines filters for precision, enhanced Briefcase for cross-app document creation, visual navigation with consistent icons, custom tag colors that sync across devices, improved image panning/zooming, and stable Zoom integration.
Beta support for Ubuntu 24 arrives for testing, though production use is discouraged—more than 20 bugs across ActiveSync, EWS, Chat, and Zimbra Desktop round out the stability gains.
Zimbra’s swift response underscores the email platform’s vulnerability to web and injection attacks, which are common in collaboration tools that handle sensitive data. Organizations running older versions face increased risks; patch now to mitigate them.
| Fix Description | Potential Impact | Mitigation Strategy |
|---|---|---|
| Input sanitization and script blocking | Session hijacking, data theft | Upgrade to 10.1.16; enable CSP headers |
| Strict input escaping and parameter binding | Unauthorized data access, escalation | Upgrade; use prepared LDAP queries |
| Disabled external entities, secure XML parsing | SSRF, local file disclosure | Upgrade; restrict XML parsers |
| Token validation enforcement | Unauthorized actions | Upgrade; enforce HTTPS everywhere |
| Security safeguards restored | Exploit chaining, preview bypass | Upgrade; turnoffe previews if unused |
Site: cybersecuritypath.com
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
