Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities

Avatar
Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in information disclosure under certain conditions. The vulnerability, tracked as CVE-2025-25064, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug in the ZimbraSync Service SOAP endpoint affecting

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in information disclosure under certain conditions.

The vulnerability, tracked as CVE-2025-25064, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug in the ZimbraSync Service SOAP endpoint affecting versions prior to 10.0.12 and 10.1.4.

Stemming from a lack of adequate sanitization of a user-supplied parameter, the shortcoming could be weaponized by authenticated attackers to inject arbitrary SQL queries that could retrieve email metadata by “manipulating a specific parameter in the request.”

Zimbra also said it addressed another critical vulnerability related to stored cross-site scripting (XSS) in the Zimbra Classic Web Client. The flaw is yet to be assigned a CVE identifier.

“The fix strengthens input sanitization and enhances security,” the company said in an advisory, adding the issue has been fixed in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5.

Another vulnerability addressed by Zimbra is CVE-2025-25065 (CVSS score: 5.3), a medium-severity server-side request forgery (SSRF) flaw in the RSS feed parser component that allows for unauthorized redirection to internal network endpoints.

The security defect has been patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4. Customers are advised to update to the latest versions of Zimbra Collaboration for optimal protection.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells

Next Post

DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects

Related Posts

Italy Bans Chinese DeepSeek AI Over Data Privacy and Ethical Concerns

Italy's data protection watchdog has blocked Chinese artificial intelligence (AI) firm DeepSeek's service within the country, citing a lack of information on its use of users' personal data. The development comes days after the authority, the Garante, sent a series of questions to DeepSeek, asking about its data handling practices and where it obtained its training data. In particular, it wanted
Avatar
Read More

Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "
Avatar
Read More