Zimbra Collaboration Cross-Site Request Forgery Vulnerability in Password Reset Operation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) versions 8.8.15 prior to 8.8.15 Patch 46, 9.0.0 Patch 40, 10.0.2 and 10.1.0. This vulnerability allows an attacker to trick an authenticated user into visiting a malicious webpage that sends a crafted SOAP request to reset the user's password, exploiting the absence of CSRF token validation on the endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, potentially leading to unauthorized access to user accounts.

Remediation

Users can upgrade to ZCS versions 10.1.10, 10.0.16, 9.0.0 Patch 46 or 8.8.15 Patch 46, all of which include the necessary CSRF token validation to address this vulnerability.