58/68 Tuesday, February 11, 2025
Zimbra has released a software update to address critical security vulnerabilities that could lead to data exposure if exploited. The vulnerability tracked as CVE-2025-25064 has been assigned a CVSS score of 9.8 and is an SQL Injection flaw in the ZimbraSync Service SOAP endpoint, affecting versions prior to 10.0.12 and 10.1.4. Authenticated attackers could exploit this vulnerability to extract email metadata by manipulating request parameters.
Additionally, Zimbra has fixed a Stored Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic Web Client, which has not yet been assigned a CVE but has been patched in Patch 44 for versions 9.0.0, 10.0.13, and 10.1.5. The company has enhanced input validation measures to prevent this type of attack. Another addressed vulnerability, CVE-2025-25065, has a CVSS score of 5.3 and is a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed parser. This flaw could allow attackers to redirect connections to internal network targets without authorization.
Zimbra strongly advises users to update to the latest version of Zimbra Collaboration immediately to mitigate the risks associated with these vulnerabilities. Security patches are available in Patch 43 for versions 9.0.0, 10.0.12, and 10.1.4 for the SSRF issue, while newer versions contain fixes for the other vulnerabilities.
Source https://thehackernews.com/2025/02/zimbra-releases-security-updates-for.html
