Zimbra Collaboration Suite ProxyServlet Server Side Request Forgery

Added: 06/06/2019
CVE: CVE-2019-9621

Background

Zimbra Collaboration Suite is an email, calendar, and collaboration solution for enterprises.

Problem

The ProxyServlet component allows a remote attacker to upload arbitrary files, which can then be executed, using XML External Entity injection and Server Side Request Forgery.

Resolution

Upgrade to Zimbra Collaboration Suite 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4, or 8.8.12 Patch 1 or higher.

References

https://bugzilla.zimbra.com/show_bug.cgi?id=109127
https://wiki.zimbra.com/wiki/Security_Center

Back to exploit index