Khanh Viet Pham

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration Suite versions 8.7.x through 8.7.11p9 **Description** The issue is related to an XML External Entity injection (XXE) vulnerability in the mailboxd component of the Zimbra Collaboration Suite, specifically affecting the Autodiscover/Autodiscover.xml endpoint. This vulnerability can be exploited by a remote attacker to perform an XXE attack. The vulnerability is due to improper restriction of XML external entity references. **Recommendations** For Zimbra Collaboration Suite versions 8.7.x through 8.7.11p9, update to version 8.7.11p10 or later to resolve the issue. As a temporary workaround, consider restricting access to the Autodiscover/Autodiscover.xml endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration Suite versions prior to 8.6 patch 13 Zimbra Collaboration Suite versions 8.7.x prior to 8.7.11 patch 10 Zimbra Collaboration Suite versions 8.8.x prior to 8.8.10 patch 7 Zimbra Collaboration Suite versions 8.8.x prior to 8.8.11 patch 3 **Description** The issue resides in insufficient input validation within Zimbra Collaboration Suite. Exploitation of this issue may allow a remote attacker to perform a Server-Side Request Forgery (SSRF) attack via the `ProxyServlet` component. SSRF occurs when an attacker can cause the server to make requests to unintended locations. **Recommendations** Zimbra Collaboration Suite versions prior to 8.6 patch 13 should be updated to version 8.6 patch 13 or later. Zimbra Collaboration Suite versions 8.7.x prior to 8.7.11 patch 10 should be updated to version 8.7.11 patch 10 or later. Zimbra Collaboration Suite versions 8.8.x prior to 8.8.10 patch 7 should be updated to version 8.8.10 patch 7 or later. Zimbra Collaboration Suite versions 8.8.x prior to 8.8.11 patch 3 should be updated to version 8.8.11 patch 3 or later.