CVE-2019-9670

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite versions 8.7.x through 8.7.11p9

Description The issue is related to an XML External Entity injection (XXE) vulnerability in the mailboxd component of the Zimbra Collaboration Suite, specifically affecting the Autodiscover/Autodiscover.xml endpoint. This vulnerability can be exploited by a remote attacker to perform an XXE attack. The vulnerability is due to improper restriction of XML external entity references.

Recommendations For Zimbra Collaboration Suite versions 8.7.x through 8.7.11p9, update to version 8.7.11p10 or later to resolve the issue. As a temporary workaround, consider restricting access to the Autodiscover/Autodiscover.xml endpoint until a patch is applied.