Zimbra has launched tool updates to handle essential safety flaws in its Collaboration tool that, if effectively exploited, may just lead to knowledge disclosure beneath positive prerequisites.
The vulnerability, tracked as CVE-2025-25064, carries a CVSS ranking of 9.8 out of a most of 10.0. It’s been described as an SQL injection malicious program within the ZimbraSync Carrier SOAP endpoint affecting variations prior to ten.0.12 and 10.1.4.
Stemming from a loss of good enough sanitization of a user-supplied parameter, the lack might be weaponized via authenticated attackers to inject arbitrary SQL queries that might retrieve electronic mail metadata via “manipulating a particular parameter within the request.”
Zimbra additionally stated it addressed some other essential vulnerability associated with saved cross-site scripting (XSS) within the Zimbra Vintage Internet Shopper. The flaw is but to be assigned a CVE identifier.
“The repair strengthens enter sanitization and complements safety,” the corporate stated in an advisory, including the problem has been fastened in variations 9.0.0 Patch 44, 10.0.13, and 10.1.5.
Any other vulnerability addressed via Zimbra is CVE-2025-25065 (CVSS ranking: 5.3), a medium-severity server-side request forgery (SSRF) flaw within the RSS feed parser element that permits for unauthorized redirection to inside community endpoints.
The safety defect has been patched in variations 9.0.0 Patch 43, 10.0.12, and 10.1.4. Consumers are urged to replace to the newest variations of Zimbra Collaboration for optimum coverage.