Description
A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party authenticator app or email-based 2FA) without presenting a valid authentication token or proving access to an already configured 2FA method. This bypasses 2FA and results in unauthorized access to accounts that are otherwise protected by 2FA.
References
wiki.zimbra.com/wiki/Zimbra_Security_Advisories
wiki.zimbra.com/wiki/Security_Center
wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
