Hi Can I put the following topic on the agenda for next week please: Content-Security-Policy (CSP). There is demand for this [1] [2] [3] , as more and more vulnerability scanners and security audits require it, but except for some pointers to generic documentation on the Security wiki [4] , Zimbra h...

Since you have discussed about updating the Nginx package, is there any work to implement the SMTP proxy in Zimbra Nginx Proxy? I mean, Zimbra already uses proxy for almost every protocol but the SMTP, which would make it much easier to work with multiple tenants and multiple certificates. Basicall...

I was told the vulnerability is in a leftover JSP file in the webex zimlet.
As a fix, patch7 simply removes this file via RPM postinstall scriptlet:

Hi Does anyone have more information on SSRF vulnerability CVE-2020-7796, besides the fact that it was fixed in 8.8.15 patch 7? CVE description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled. What is the precise scope and ...

Thanks. Does this concern all external datasources, including pop3/imap, or only the HTTP based ones like CalDAV ?

We and one of our customers had this issue. In our cases, the symptoms were that web client sessions generated a "Server Error 500" for the users, but that IMAP and other non web-ui access methods continued to function. Zimbra Support have identified the root cause and given us a bug numb...