Zimbra warns of serious flaw in its Collaboration Suite

Flaw is under active attack, according to Google security researcher

Zimbra the email and collaboration software brand owned by Synacor, has disclosed a cross site scripting (XSS) vulnerability in its Zimbra Collaboration Suite.

"An XSS vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the company said. "We take this matter very seriously and have already taken immediate action to address the issue."

According to Google Threat Analysis Group researcher Maddie Stone, the flaw is under active attack.

The company has published a workaround to mitigate the issue while it works on a patch.

"The issue has been fixed through input sanitisation," Zimbra says in an advisory.

"We have also performed rigorous testing to ensure the effectiveness and stability of the system. The fix is planned to be delivered in the July patch release."

Fortunately, the fix appears to be quite straightforward.

On each of their mailbox nodes, admins are instructed to backup the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto, then make a change to one line of the original to prevent cross site scripting.

A restart of the server is not required.

Zimbra's mitigation advice comes as email security is very much in the news.

Earlier this week, Microsoft revealed that Chinese hacking group Storm-0558 had obtained access to cloud-based Outlook email systems of 25 organisations, including multiple US government agencies.

Accounts belonging to Secretary of Commerce Gina Raimondo and officials from the Department of State were compromised, according to reports.

The hackers were able to create their own authentication tokens using a stolen cryptographic key, according to Microsoft, which says it has now fixed the problem.