Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                  Note d'Information No. 2025/VULN079

_____________________________________________________________________

DATE                : 10/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Zimbra versions prior to
                      9.0.0 P44, Daffodil 10.1.5, 10.0.13.

=====================================================================
https://blog.zimbra.com/2025/01/new-patch-for-zimbra-classic-web-client-vulnerability-stay-secure-by-updating/
_____________________________________________________________________

Patch for Zimbra Classic Web Client Vulnerability – Stay Secure by
Updating
By Karyn Tan on January 27, 2025 in Product News, Product Updates,
Security & Privacy

CRITICAL SECURITY PATCH

This alert is sent out to all Zimbra partners, customers and
subscribers

 

Patch Security Severity: High

Deployment Risk: Low

 

This patch fixes a critical security vulnerability related to stored
cross-site scripting in the Zimbra Classic Web Client.

The fix strengthens input sanitization and enhances security. All
customers are strongly advised to upgrade to this latest patch
version immediately.

 

APPLY THIS PATCH IMMEDIATELY

To allow all customers to apply this patch in a timely manner, the
enforcement of zimbraLowestSupportedAuthVersion level=2 has been
reverted.

 

This allows customers who did not upgrade to the previous patch
release due to LDAP load concerns to apply this patch directly.

Note: Customers already on zimbraLowestSupportedAuthVersion
level=2 should retain their current setting.

 

We strongly urge Zimbra administrators to ensure your system is
up-to-date with the latest security updates and patched versions

    Zimbra Daffodil 10.1.5 (Release Notes)  
    Zimbra Daffodil 10.0.13 (Release Notes)
    9.0.0 P44 (Release Notes)

Existing Zimbra 9 customers have until 06/30/2025 to upgrade to
the new version (Daffodil v10).

Also, please note that the details of the
zimbraLowestSupportedAuthVersion enforcement will be removed
from the previous versions’ release notes and a reference to
the 10.1.5 release will be inserted to avoid confusion.


Keeping Zimbra updated is crucial to protect against known
vulnerabilities and maintain a secure environment. For more
information, check out Zimbra_Releases. 

Refer to the release notes for the patch installation on
Red Hat and Ubuntu platforms.

An upgrade to the latest patch for your version is highly
recommended. Refer to our blog and the Zimbra Security
Center for steps to ensure your system is safe. You can
also set up RSS feed notifications. 

Keeping your Zimbra system secure is as simple as regularly
applying the latest patches—don’t wait to update!


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================