Anthony Laou-Hine Tsuei

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration versions prior to 8.6.0 Patch 8 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console. These vulnerabilities allow remote attackers to hijack the authentication of administrators for requests that add, modify, or remove accounts. This is possible due to the failure to use a CSRF token and perform referer header checks. **Recommendations** For versions prior to 8.6.0 Patch 8, update to 8.6.0 Patch 8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Admin Console to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration Server versions prior to 8.5 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface. These vulnerabilities allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences. This is achieved via a SOAP request to the `service/soap/BatchRequest` endpoint. **Recommendations** For versions prior to 8.5, update to version 8.5 or later to resolve the issue.