Zimbra has launched software program updates to handle important safety flaws in its Collaboration software program that, if efficiently exploited, might lead to data disclosure beneath sure circumstances.
The vulnerability, tracked as CVE-2025-25064, carries a CVSS rating of 9.8 out of a most of 10.0. It has been described as an SQL injection bug within the ZimbraSync Service SOAP endpoint affecting variations previous to 10.0.12 and 10.1.4.
Stemming from a scarcity of enough sanitization of a user-supplied parameter, the shortcoming could possibly be weaponized by authenticated attackers to inject arbitrary SQL queries that might retrieve e-mail metadata by “manipulating a particular parameter within the request.”
Zimbra additionally stated it addressed one other important vulnerability associated to saved cross-site scripting (XSS) within the Zimbra Traditional Net Shopper. The flaw is but to be assigned a CVE identifier.
“The repair strengthens enter sanitization and enhances safety,” the corporate said in an advisory, including the problem has been mounted in variations 9.0.0 Patch 44, 10.0.13, and 10.1.5.
One other vulnerability addressed by Zimbra is CVE-2025-25065 (CVSS rating: 5.3), a medium-severity server-side request forgery (SSRF) flaw within the RSS feed parser element that enables for unauthorized redirection to inside community endpoints.
The safety defect has been patched in variations 9.0.0 Patch 43, 10.0.12, and 10.1.4. Prospects are suggested to replace to the most recent variations of Zimbra Collaboration for optimum safety.
Source link