Zimbra has warned of a critical security issue affecting its collaboration software and email platform that is being actively exploited in real-world attacks.
“A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced,” the software maker said in a security advisory.
The vulnerability, which has yet to receive a CVE identifier, is a cross-site scripting (XSS) issue that allows a remote attacker to steal potentially sensitive information, change the appearance of the web page, perform phishing and drive-by-download attacks.
According to Zimbra, the flaw has been addressed, but the fix will be available as part of the July patch release. In the meantime, the company recommends users apply the fix manually on all of their mailbox nodes:
1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
2. Edit this file and go to line number 40
3. Update the parameter value as below <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>
4. Before the update, the line appeared as below <input name="st" type="hidden" value="${param.st}"/>
After the update, the line should appear as below
<input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>