CVE-2021-35208: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in ZmMailMsgView.js in the Calendar Invite component of Zimbra Collaboration Suite 8.8.x before 8.8.15 Patch 23. The vulnerability was identified and reported in May 2021, with a CVSS v3.1 base score of 5.4 (Medium severity). The affected software versions include Zimbra Collaboration Suite 8.8.x versions prior to 8.8.15 Patch 23 (NVD, Sonar).

The vulnerability exists in the HTML sanitization process where an attacker could place HTML containing executable JavaScript inside element attributes. The issue occurs because the default Ajax client uses a regular expression to perform replacements within form HTML tags, particularly when a form tag does not contain an action attribute. When the sanitized HTML is transformed by the client, the markup becomes unescaped, causing arbitrary markup to be injected into the document. This allows execution of arbitrary JavaScript code in the browser of a client viewing an email (Sonar).

When exploited, the vulnerability would provide an attacker with access to all emails of the victim, as well as their webmail session. This access could then be used to launch further attacks and access other features of Zimbra. The vulnerability could potentially lead to complete compromise of a user's email account and sensitive information (Sonar).

The vulnerability has been fixed in Zimbra Collaboration Suite 8.8.15 Patch 23 and 9.0.0 Patch 16. The fix involved removing the code that transformed the form tag altogether. Organizations using affected versions should upgrade to the patched versions (Zimbra Releases, Sonar).

The vulnerability was discovered and reported by researchers from SonarSource in May 2021. The Zimbra Security team responded professionally and quickly to the report, releasing patches by June 28, 2021 (Sonar).