Authentication Bypass in MailboxImportServlet vulnerability (reminder)
https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/

Appointments Duplicated (triplicated) in Appointments Summary

Whether you are a current user, former user, a Zimbra employee, or anyone with experience using any of our products, we welcome your feedback. Please include a specific product name and version when relevant.
jon_mann64
Posts: 6
Joined: Fri Oct 07, 2022 4:04 pm

Appointments Duplicated (triplicated) in Appointments Summary

Postby jon_mann64 » Thu Dec 01, 2022 10:13 pm

Zimbra version: 9.0.0_GA_4373.NETWORK (build 20220726093952)

When creating an appointment using the Zimbra API in our Oncall calendar, we get duplicate appointments displayed on the Zimbra calendar (Zimbra UI) initially. Upon refreshing, the duplicates disappear from the calendar, however the appointment is duplicated (even triplicated) in the daily “Appointments Summary” email that is auto-sent by Zimbra.

So the real issue is with the triplicated appointments in the "Appointments Summary" email. See attached screenshot. Shows triplicate "Test Appointment", Though the subject says you have 5 appointments, so the triplicates are not being counted for the subject. Note that the appointment, "Test Appointment (API)", seen in the API request/response below do not appear on the "Appointments Summary" because I just created it. I expect to see it in tomorrow's "Appointments Summary" email and I expect it will be triplicated.

This issue is not isolated to appointments created by the Zimbra API. We see this occurring with appointments that were entered manually, through the Zimbra UI, as well. This issue only exists on certain calendars. Other calendars do not have this issue.

The Soap API request and response appear below, for reference. In addition, I have included an .ics export of a calendar for which we see duplication...


CreateAppointmentRequest


Code: Select all

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:zimbra" xmlns:urn1="urn:zimbraMail">
   <soapenv:Header>
      <urn:context>
         <urn:authToken>MY_TOKEN</urn:authToken>
      </urn:context>
   </soapenv:Header>
   <soapenv:Body>
      <urn1:CreateAppointmentRequest echo="1">
         <urn1:m l="662086ff-5f4e-49d8-95ae-07f7ebcfbc1b:48732">
            <urn1:inv name="Test Appointment (API)" allDay="1">
               <urn1:s d="20221128"/>
               <urn1:e d="20221202"/>
            </urn1:inv>
          </urn1:m>
      </urn1:CreateAppointmentRequest>
   </soapenv:Body>
</soapenv:Envelope>



CreateAppointmentResponse

Code: Select all

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Header>
      <context xmlns="urn:zimbra">
         <change token="68630"/>
      </context>
   </soap:Header>
   <soap:Body>
      <CreateAppointmentResponse calItemId="62084" rev="68630" ms="68630" invId="62084-62083" apptId="62084" xmlns="urn:zimbraMail">
         <echo>
            <m rev="68630" s="0" d="1669928473000" t="" f="" ms="68630" md="1669928473" tn="" id="62084-62083" l="48732">
               <meta/>
               <inv type="appt">
                  <comp loc="" method="PUBLISH" fba="B" d="1669928473000" isOrg="1" apptId="62084" rsvp="0" noBlob="1" transp="O" url="" x_uid="3f903f4e-0b19-44c9-a29f-50d64abbe490" ciFolder="48732" compNum="0" uid="3f903f4e-0b19-44c9-a29f-50d64abbe490" calItemId="62084" allDay="1" name="Test Appointment (API)" fb="B" class="PUB" seq="0" status="CONF">
                     <s d="20221128"/>
                     <e d="20221202"/>
                  </comp>
               </inv>
            </m>
         </echo>
      </CreateAppointmentResponse>
   </soap:Body>
</soap:Envelope>




Oncall-2022-12-01-133043.ics

Code: Select all

BEGIN:VCALENDAR
X-WR-CALNAME:Oncall
X-WR-CALID:662086ff-5f4e-49d8-95ae-07f7ebcfbc1b:48732
PRODID:Zimbra-Calendar-Provider
VERSION:2.0
METHOD:PUBLISH
BEGIN:VEVENT
UID:c4c61718-1c42-46d5-9a0b-d4d18971a3c0
SUMMARY:Test Appointment
DTSTART;VALUE=DATE:20221128
DTEND;VALUE=DATE:20221203
STATUS:CONFIRMED
CLASS:PUBLIC
X-MICROSOFT-CDO-ALLDAYEVENT:TRUE
X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY
TRANSP:OPAQUE
LAST-MODIFIED:20221201T000035Z
DTSTAMP:20221201T000035Z
SEQUENCE:0
END:VEVENT
BEGIN:VEVENT
UID:3f903f4e-0b19-44c9-a29f-50d64abbe490
SUMMARY:Test Appointment (API)
DTSTART;VALUE=DATE:20221128
DTEND;VALUE=DATE:20221203
STATUS:CONFIRMED
CLASS:PUBLIC
X-MICROSOFT-CDO-ALLDAYEVENT:TRUE
X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY
TRANSP:OPAQUE
LAST-MODIFIED:20221201T210113Z
DTSTAMP:20221201T210113Z
SEQUENCE:0
END:VEVENT
END:VCALENDAR



Thanks in advance for your reply.
Attachments
Appointments_Summary_email.png
Appointments_Summary_email.png (47.33 KiB) Viewed 2417 times


jon_mann64
Posts: 6
Joined: Fri Oct 07, 2022 4:04 pm

Re: Appointments Duplicated (triplicated) in Appointments Summary

Postby jon_mann64 » Fri Dec 02, 2022 5:38 pm

Learned that this functionality is provided by a third-party through a zimlet. Looks like they fixed this bug for Zimbra 8 but not for Zimbra 9.

If you are having the same issue, please go here for further information...
https://gallery.zetalliance.org/extend/items/view/appointment-summary.

Return to “General Zimbra Feedback”

Who is online

Users browsing this forum: No registered users and 2 guests