Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails of all employees.

Zimbra, an open-source webmail platform used by more than 200,000 enterprises, contained a pair of vulnerabilities that, if combined, allowed unauthenticated attackers to gain control of Zimbra servers.

The first vulnerability is a Cross-Site Scripting bug (CVE-2021-35208) that can be triggered in a victim’s browser when viewing an incoming email. 

The second vulnerability is an interesting bypass of an allow-list that leads to a powerful Server-Side Request Forgery vulnerability (CVE-2021-35209). It can be exploited by an authenticated member of an organization with any permission role, which means that it can be combined with the first vulnerability.

The Vulnerability is Discovered by Simon Scannell, a vulnerability researcher at SonarSource.