On December 22, 2015, we announced patch 5 for Zimbra Collaboration 8.6. Patch 5 contained fixes for eight security issues, including two cross-site scripting (XSS) vulnerabilities (assigned CVE-2015-7609) that were reported in October of 2015 by security researchers at Fortinet’s Fortiguard Labs. It was a pleasure working with one of the top security companies out there.
If you are on Zimbra Collaboration 8.6, we recommend upgrading to Zimbra Collaboration Patch 6 (although Patch 5 is sufficient to correct the flaws identified here). For earlier releases, a non-official workaround for bug 101435 (fixes a flawed regular expression attempting to match a URL) is available on github. Thank you to Frederic Maussion (Senior Solutions Advisor) for the non-official patch.
Please consider adding adding the Zimbra Security Advisories wiki (https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories) to your bookmarks to stay up to date with the latest Zimbra security advisories.
[2016-02-24 05:00 GMT – Note: This post was edited to clarify that Patch 5 is sufficient to address the vulnerabilities referred to in this article.]