[Users] Another XSS issue
Malte S. Stretz
mss at msquadrat.de
Fri Jan 12 13:11:36 CET 2018
Hi David,
On 12.01.2018 10:44, David Touitou wrote:
> I got a mail in the bugtraq mailing list about another XSS discovered.
> And fixed for 8.8+ versions of ZCS.
>
> However, nothing for 8.6.
> Nothing for that XSS and all the XSS discovered since 2016.
> https://forums.zimbra.org/viewtopic.php?f=13&t=63390
>
> Does anyone here know if all these XSS are only issues with 8.7+ code base?
> Or did they (synacor) just "forgot" to provide patch for 8.6?
I'm pretty sure 8.6 is affected as well though I didn't look since I am
frustrated enough that 8.7 doesn't get any proper fixes.
It should be easy to verify, just have a look at the JavaScript code for
the affected code. These are the last two XSS issues fixed:
*
https://github.com/Zimbra/zm-web-client/commit/8c646be0322c0ab6858652c184133b924b915d68
*
https://github.com/Zimbra/zm-web-client/commit/92d2886277e7d8d4f4835a26355fa93dfebc5504
I sometimes wonder how Synacor themselves manage to run an 8.7.0 (!) on
mail.zimbra.com…
Cheers,
Malte
More information about the Users
mailing list