CVE-2021-34807

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration Suite versions prior to 9.0

Description: An open redirect issue exists in the /preauth Servlet. To exploit this, an attacker needs a valid zimbra auth token or preauth token. With the token, an attacker can redirect a user to any URL using the "isredirect=1&redirectURL=" parameter in conjunction with the token data, such as a valid "authtoken=" value.

Recommendations: For Zimbra Collaboration Suite versions prior to 9.0, update to version 9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /preauth Servlet to minimize the risk of exploitation. Avoid using the "isredirect=1&redirectURL=" parameter in the affected API endpoint until the issue is resolved.