Zimbra has launched software program updates to deal with essential security flaws in its Collaboration software program that, if efficiently exploited, might lead to info disclosure below sure situations.
The vulnerability, tracked as CVE-2025-25064, carries a CVSS rating of 9.8 out of a most of 10.0. It has been described as an SQL injection bug within the ZimbraSync Service SOAP endpoint affecting variations previous to 10.0.12 and 10.1.4.
Stemming from a scarcity of ample sanitization of a user-supplied parameter, the shortcoming may very well be weaponized by authenticated attackers to inject arbitrary SQL queries that would retrieve e mail metadata by “manipulating a particular parameter within the request.”
Zimbra additionally stated it addressed one other essential vulnerability associated to saved cross-site scripting (XSS) within the Zimbra Traditional Net Shopper. The flaw is but to be assigned a CVE identifier.
“The repair strengthens enter sanitization and enhances security,” the corporate stated in an advisory, including the difficulty has been fastened in variations 9.0.0 Patch 44, 10.0.13, and 10.1.5.
One other vulnerability addressed by Zimbra is CVE-2025-25065 (CVSS rating: 5.3), a medium-severity server-side request forgery (SSRF) flaw within the RSS feed parser element that enables for unauthorized redirection to inner community endpoints.
The security defect has been patched in variations 9.0.0 Patch 43, 10.0.12, and 10.1.4. Clients are suggested to replace to the most recent variations of Zimbra Collaboration for optimum safety.
