Security Advisory: Zimbra Community 8.x Security Vulnerability

By | June 30, 2014

Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a very specific scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.

Summary: The Zimbra development team has identified a very specific scenario where a user’s password in Community 8 is stored insecurely.

Affected Versions: (unpatched),

Vulnerability Scoring: CVSS: 1.4

Obtaining a fix:

Details: The administrative feature to create users leverages non-public APIs that can force a user’s password to be inadvertently stored insecurely.

Reporter: Alex Crome (Zimbra)

When does this occur?

1. Creating a user through the control panel using Membership Administration (requires administrative privileges)

2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)

If you have any questions or would like assistance with applying the patch, please contact support.


  • Hi, We are having some problems after upgrade the Zimbra to version 8.0.7. One of them is the automatic actualization in the inbox. We observe that this happens when any change is made in the Preferences in mail account. One example: when the mail signature was changed. Is there any procedure or patch that we can do? Thanks in advance.

    Commented on July 8, 2014 at 11:23 AM
  • Eu preciso de ajuda. Houve um bombardeio de vírus ao servidor administrador do ZIMBRA no Brasil, através da INOVA. Meu e-mail foi logged off e a minha password foi trocada. A INOVA não responde aos telefonemas ou tentativas de contato. O que eu tenho que fazer???

    Commented on July 9, 2014 at 11:06 AM
  • Favor, respostas aqui ou para o email:

    Commented on July 9, 2014 at 11:13 AM

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>