Zimbra has launched software program updates to deal with essential safety flaws in its Collaboration software program that, if efficiently exploited, might lead to info disclosure below sure circumstances.
The vulnerability, tracked as CVE-2025-25064, carries a CVSS rating of 9.8 out of a most of 10.0. It has been described as an SQL injection bug within the ZimbraSync Service SOAP endpoint affecting variations previous to 10.0.12 and 10.1.4.
Stemming from a scarcity of sufficient sanitization of a user-supplied parameter, the shortcoming may very well be weaponized by authenticated attackers to inject arbitrary SQL queries that might retrieve e-mail metadata by “manipulating a selected parameter within the request.”
Zimbra additionally stated it addressed one other essential vulnerability associated to saved cross-site scripting (XSS) within the Zimbra Traditional Net Shopper. The flaw is but to be assigned a CVE identifier.
“The repair strengthens enter sanitization and enhances safety,” the corporate stated in an advisory, including the difficulty has been mounted in variations 9.0.0 Patch 44, 10.0.13, and 10.1.5.
One other vulnerability addressed by Zimbra is CVE-2025-25065 (CVSS rating: 5.3), a medium-severity server-side request forgery (SSRF) flaw within the RSS feed parser element that enables for unauthorized redirection to inside community endpoints.
The safety defect has been patched in variations 9.0.0 Patch 43, 10.0.12, and 10.1.4. Prospects are suggested to replace to the most recent variations of Zimbra Collaboration for optimum safety.
