CVE-2018-20160
Description
ZxChat (ZeXtras Chat) in Zimbra Collaboration Suite 8.7 and 8.8 is vulnerable to XXE attacks via crafted XML requests to mailboxd, allowing information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ZxChat (ZeXtras Chat) in Zimbra Collaboration Suite 8.7 and 8.8 is vulnerable to XXE attacks via crafted XML requests to mailboxd, allowing information disclosure.
Vulnerability
ZxChat (ZeXtras Chat) component in Synacor Zimbra Collaboration Suite versions 8.7 and 8.8 (and possibly other products) contains an XML External Entity (XXE) vulnerability [CWE-611]. The flaw exists in the chat component's handling of XML requests sent to the mailboxd service. An attacker can craft a malicious XML payload that includes external entities, which are processed by the XML parser without proper restrictions. Affected versions include ZCS 8.7.x and 8.8.x prior to patches: ZCS 8.8.9 Patch 9, ZCS 8.8.10 Patch 5, and ZCS 8.8.11 Patch 1 [3].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted XML request to the mailboxd endpoint used by the ZxChat component. No authentication is required if the endpoint is exposed; however, the attacker must be able to reach the Zimbra server's network. The crafted XML includes an external entity definition that references a local or remote resource. When the XML parser processes the entity, it retrieves the resource and includes its content in the response or in error messages, enabling data exfiltration.
Impact
Successful exploitation allows an attacker to read arbitrary files on the Zimbra server, such as configuration files containing credentials or sensitive data. This can lead to information disclosure and potentially further compromise of the system. The vulnerability is classified as an XXE attack, which can also be used for server-side request forgery (SSRF) or denial of service, but the primary impact is unauthorized file reading.
Mitigation
The vulnerability is fixed in ZCS 8.8.9 Patch 9, ZCS 8.8.10 Patch 5, and ZCS 8.8.11 Patch 1, released on January 4, 2019 [3]. Users should upgrade to these or later patched versions. For systems that cannot be immediately patched, network access controls should be applied to restrict access to the mailboxd endpoint, and input validation for XML payloads should be reviewed. No workaround is provided in the references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Synacor/ZxChatdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly validate XML input, allowing external entities to be processed."
Attack vector
An attacker can send a crafted XML request to the `mailboxd` component. This request can include external XML entities that are processed by the server. This allows the attacker to read arbitrary files from the server's file system by referencing them within the XML payload. [ref_id=1]
Affected code
The vulnerability is present in ZxChat, which is used for zimbra-chat and zimbra-talk. The attack targets the `mailboxd` component.
What the fix does
The advisory does not specify the exact fix for this vulnerability. However, it is generally recommended to disable external entity processing in XML parsers to prevent XXE attacks. This involves configuring the XML parser to not resolve external DTDs or entities.
Preconditions
- inputThe attacker must be able to send a crafted XML request to the `mailboxd` component.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- bugzilla.zimbra.com/show_bug.cgimitrex_refsource_MISC
- wiki.zimbra.com/wiki/Security_Centermitrex_refsource_MISC
- wiki.zimbra.com/wiki/Zimbra_Security_Advisoriesmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.