Robert-Scheck

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration Open Source version 8.8.15 **Description** The issue concerns the lack of encryption for the initial-login randomly created password, which is generated by the `zmprove ca` command. This password is visible in cleartext on port UDP 514, also known as the syslog port. A third party has reported that this issue cannot be reproduced. **Recommendations** For Zimbra Collaboration Open Source version 8.8.15, consider restricting access to the syslog port (UDP 514) to minimize the risk of password exposure until a fix is available. As a temporary workaround, avoid using the `zmprove ca` command until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wekan versions prior to 4.87 **Description** The issue allows Wekan to process connections even though they are not authorized by the Certification Authority trust store. This is due to a problem in the packages/wekan-ldap/server/ldap.js file. **Recommendations** For Wekan versions prior to 4.87, update to version 4.87 or later to resolve the issue. As a temporary workaround, consider restricting access to the ldap.js file until a patch is available.