Zimbra Collaboration 8.6 Patch 4 and previous (CWE-79, CVE-2015-7609) – XSS vulnerabilities

On December 22, 2015, we announced patch 5 for Zimbra Collaboration 8.6. Patch 5 contained fixes for eight security issues, including two cross-site scripting (XSS) vulnerabilities (assigned CVE-2015-7609) that were reported in October of 2015 by security researchers at Fortinet’s Fortiguard Labs. It was a pleasure working with one of the top security companies out there.

If you are on Zimbra Collaboration 8.6, we recommend upgrading to Zimbra Collaboration Patch 6 (although Patch 5 is sufficient to correct the flaws identified here). For earlier releases, a non-official workaround for bug 101435 (fixes a flawed regular expression attempting to match a URL) is available on github. Thank you to Frederic Maussion (Senior Solutions Advisor) for the non-official patch.

Please consider adding adding the Zimbra Security Advisories wiki (https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories) to your bookmarks to stay up to date with the latest Zimbra security advisories.

[2016-02-24 05:00 GMT – Note: This post was edited to clarify that Patch 5 is sufficient to address the vulnerabilities referred to in this article.]

4 Responses to Zimbra Collaboration 8.6 Patch 4 and previous (CWE-79, CVE-2015-7609) – XSS vulnerabilities

  1. Jered February 23, 2016 at 4:26 PM #

    I’m confused by this post — was this bug not sufficiently patched in Patch 5 and you are recommending Patch 6 be installed? I haven’t updated to Patch 6 (from 5) because the bugs fixed in Patch 6 don’t affect me.

    • Jorge de la Cruz February 23, 2016 at 6:05 PM #

      Hi Jered, if you have Patch 5 you are enough protected. ZCS 8.6 Patch 4 or before are affected by this issue.

      Best regards

  2. Mr. Gus February 23, 2016 at 6:21 PM #

    I feel like this post should be rewritten for clarity. It’s basically an announcement of patch 6, which fixes a couple of bugs, but it’s presented as an fyi about the security vulnerabilities fixed in the prior patch. This makes it really easy to infer that patch 6 fixes security issues that have come up since patch 5.

    • Phil Pearl February 23, 2016 at 11:02 PM #

      Hi Mr. Gus. This post was edited to clarify that Patch 5 is sufficient to address the vulnerabilities referred to in this article. Sorry for the confusion, and I hope things are clear now.