Zimbra has released a software update to address critical security flaws in collaboration software.
The vulnerability tracked as CVE-2025-25064 has a CVSS score of 9.8 out of a maximum of 10.0. Zimbrasync service described as a SQL injection bug in the SOAP endpoint affecting versions prior to 10.0.12 and 10.1.4.
Because it is due to the lack of proper disinfection of user-supported parameters, an authenticated attacker is required to inject any SQL query that can retrieve email metadata by “manipulating specific parameters in the request.” could be weaponized by.
Zimbra also said it addressed another important vulnerability related to stored cross-site scripting (XSS) in the Zimbra Classic web client. The defect has not yet been assigned a CVE identifier.
“This fix will enhance input disinfection and enhance security,” the company said in its advisory, adding that the issue has been fixed in versions 9.0.0 patches 44, 10.0.13 and 10.1.5. Ta.
Another vulnerability Zimbra deals with is CVE-2025-25065 (CVSS score: 5.3).
Security flaws are patched with versions 9.0.0 patches 43, 10.12, and 10.1.4. Customers are encouraged to update to the latest version of Zimbra Collaboration for optimal protection.
Source link
