CVE-2021-35207

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration Suite versions 8.8.0 through 8.8.15 Patch 22 Zimbra Collaboration Suite versions 9.0.0 through 9.0.0 Patch 15

Description: A security issue exists in the login component of Zimbra Web Client, where an attacker can execute arbitrary JavaScript code. This is achieved by adding executable JavaScript to the loginErrorCode parameter of the login URL, specifically the "/api/v1/login" endpoint is not mentioned but the login URL is affected.

Recommendations: For Zimbra Collaboration Suite versions 8.8.0 through 8.8.15 Patch 22, update to version 8.8.15 Patch 23 or later. For Zimbra Collaboration Suite versions 9.0.0 through 9.0.0 Patch 15, update to version 9.0.0 Patch 16 or later. As a temporary workaround, consider restricting access to the login component of the Zimbra Web Client to minimize the risk of exploitation. Avoid using the loginErrorCode parameter in the affected login URL until the issue is resolved.