Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a very specific scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.
Summary: The Zimbra development team has identified a very specific scenario where a user’s password in Community 8 is stored insecurely.
Affected Versions: 18.104.22.168997 (unpatched), 22.214.171.124116
Vulnerability Scoring: CVSS: 1.4
Obtaining a fix: http://telligent.com/support/m/support/1354746.aspx
Details: The administrative feature to create users leverages non-public APIs that can force a user’s password to be inadvertently stored insecurely.
Reporter: Alex Crome (Zimbra)
When does this occur?
1. Creating a user through the control panel using Membership Administration (requires administrative privileges)
2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)
If you have any questions or would like assistance with applying the patch, please contact support.