Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-25064 (GCVE-0-2025-25064)
Vulnerability from cvelistv5 – Published: 2025-02-03 00:00 – Updated: 2026-02-26 19:09
VLAI
EPSS
Summary
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Severity
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-25064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T04:55:28.277127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:09:26.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T20:02:26.403Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
},
{
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-25064",
"datePublished": "2025-02-03T00:00:00.000Z",
"dateReserved": "2025-02-03T00:00:00.000Z",
"dateUpdated": "2026-02-26T19:09:26.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-25064",
"date": "2026-05-27",
"epss": "0.47696",
"percentile": "0.9775"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-25064\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-02-03T20:15:37.257\",\"lastModified\":\"2025-06-11T21:18:03.333\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de inyecci\u00f3n SQL en ZimbraSyncService SOAP endpoint en Zimbra Collaboration 10.0.x anterior a 10.0.12 y 10.1.x anterior a 10.1.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.0.12\",\"matchCriteriaId\":\"E603BD7A-730E-410C-BBE1-3E5A8DD2A72F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.1.0\",\"versionEndExcluding\":\"10.1.4\",\"matchCriteriaId\":\"55361360-9F77-4731-82AD-82E65E4C5AA0\"}]}]}],\"references\":[{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-25064\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-14T04:55:28.277127Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T15:55:20.474Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\"}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes\"}, {\"url\": \"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-02-06T20:02:26.403Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-25064\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T19:09:26.834Z\", \"dateReserved\": \"2025-02-03T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-02-03T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2024-AVI-1090
Vulnerability from certfr_avis - Published: 2024-12-18 - Updated: 2025-12-04
De multiples vulnérabilités ont été découvertes dans Synacor Zimbra Collaboration. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection de code indirecte à distance (XSS) et une injection de requêtes illégitimes par rebond (CSRF).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Synacor | Zimbra Collaboration | Zimbra Collaboration Daffodil (10.0.0) sans le correctif 10.0.12 | ||
| Synacor | Zimbra Collaboration | Zimbra Collaboration Joule (8.8.15) sans le correctif 47 | ||
| Synacor | Zimbra Collaboration | Zimbra Collaboration Kepler (9.0.0) sans le correctif 43 | ||
| Synacor | Zimbra Collaboration | Zimbra Collaboration Daffodil (10.1.0) sans le correctif 10.1.4 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Zimbra Collaboration Daffodil (10.0.0) sans le correctif 10.0.12",
"product": {
"name": "Zimbra Collaboration",
"vendor": {
"name": "Synacor",
"scada": false
}
}
},
{
"description": "Zimbra Collaboration Joule (8.8.15) sans le correctif 47",
"product": {
"name": "Zimbra Collaboration",
"vendor": {
"name": "Synacor",
"scada": false
}
}
},
{
"description": "Zimbra Collaboration Kepler (9.0.0) sans le correctif 43",
"product": {
"name": "Zimbra Collaboration",
"vendor": {
"name": "Synacor",
"scada": false
}
}
},
{
"description": "Zimbra Collaboration Daffodil (10.1.0) sans le correctif 10.1.4",
"product": {
"name": "Zimbra Collaboration",
"vendor": {
"name": "Synacor",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-45516",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45516"
},
{
"name": "CVE-2025-25064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25064"
},
{
"name": "CVE-2025-48700",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48700"
},
{
"name": "CVE-2025-25065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25065"
}
],
"initial_release_date": "2024-12-18T00:00:00",
"last_revision_date": "2025-12-04T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1090",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-12-18T00:00:00.000000"
},
{
"description": "Ajout des identifiants CVE CVE-2025-25064 et CVE-2025-25065.",
"revision_date": "2025-02-03T00:00:00.000000"
},
{
"description": "Ajout de l\u0027identifiant CVE-2025-48700.",
"revision_date": "2025-12-04T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Synacor Zimbra Collaboration. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une injection de code indirecte \u00e0 distance (XSS) et une injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Synacor Zimbra Collaboration",
"vendor_advisories": [
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Synacor Synacor Zimbra Collaboration 9.0.0 Patch 43",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P43"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Synacor Zimbra Collaboration 10.1.4",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Synacor Synacor Zimbra Collaboration 8.8.15 Patch P47",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P47"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Synacor Zimbra Collaboration 10.0.12",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12"
}
]
}
CERTFR-2024-AVI-1090
Vulnerability from certfr_avis - Published: 2024-12-18 - Updated: 2025-12-04
De multiples vulnérabilités ont été découvertes dans Synacor Zimbra Collaboration. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection de code indirecte à distance (XSS) et une injection de requêtes illégitimes par rebond (CSRF).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Synacor | Zimbra Collaboration | Zimbra Collaboration Daffodil (10.0.0) sans le correctif 10.0.12 | ||
| Synacor | Zimbra Collaboration | Zimbra Collaboration Joule (8.8.15) sans le correctif 47 | ||
| Synacor | Zimbra Collaboration | Zimbra Collaboration Kepler (9.0.0) sans le correctif 43 | ||
| Synacor | Zimbra Collaboration | Zimbra Collaboration Daffodil (10.1.0) sans le correctif 10.1.4 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Zimbra Collaboration Daffodil (10.0.0) sans le correctif 10.0.12",
"product": {
"name": "Zimbra Collaboration",
"vendor": {
"name": "Synacor",
"scada": false
}
}
},
{
"description": "Zimbra Collaboration Joule (8.8.15) sans le correctif 47",
"product": {
"name": "Zimbra Collaboration",
"vendor": {
"name": "Synacor",
"scada": false
}
}
},
{
"description": "Zimbra Collaboration Kepler (9.0.0) sans le correctif 43",
"product": {
"name": "Zimbra Collaboration",
"vendor": {
"name": "Synacor",
"scada": false
}
}
},
{
"description": "Zimbra Collaboration Daffodil (10.1.0) sans le correctif 10.1.4",
"product": {
"name": "Zimbra Collaboration",
"vendor": {
"name": "Synacor",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-45516",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45516"
},
{
"name": "CVE-2025-25064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25064"
},
{
"name": "CVE-2025-48700",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48700"
},
{
"name": "CVE-2025-25065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25065"
}
],
"initial_release_date": "2024-12-18T00:00:00",
"last_revision_date": "2025-12-04T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1090",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-12-18T00:00:00.000000"
},
{
"description": "Ajout des identifiants CVE CVE-2025-25064 et CVE-2025-25065.",
"revision_date": "2025-02-03T00:00:00.000000"
},
{
"description": "Ajout de l\u0027identifiant CVE-2025-48700.",
"revision_date": "2025-12-04T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Synacor Zimbra Collaboration. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une injection de code indirecte \u00e0 distance (XSS) et une injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Synacor Zimbra Collaboration",
"vendor_advisories": [
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Synacor Synacor Zimbra Collaboration 9.0.0 Patch 43",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P43"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Synacor Zimbra Collaboration 10.1.4",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Synacor Synacor Zimbra Collaboration 8.8.15 Patch P47",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P47"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Synacor Zimbra Collaboration 10.0.12",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12"
}
]
}
BDU:2025-04092
Vulnerability from fstec - Published: 17.12.2024
VLAI
Title
Уязвимость сервиса ZimbraSyncService корпоративной системы управления электронной почтой Zimbra Collaboration Suite, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Description
Уязвимость сервиса ZimbraSyncService корпоративной системы управления электронной почтой Zimbra Collaboration Suite существует из-за непринятия мер по защите структуры SQL-запроса. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации
Severity
Vendor
Zimbra Inc.
Software Name
Zimbra Collaboration Suite
Software Version
от 10.0.0 до 10.0.12 (Zimbra Collaboration Suite), от 10.1.0 до 10.1.4 (Zimbra Collaboration Suite)
Possible Mitigations
Использование рекомендаций:
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes
Reference
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes
https://wiki.zimbra.com/wiki/Main_Page
CWE
CWE-89
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Zimbra Inc.",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 10.0.0 \u0434\u043e 10.0.12 (Zimbra Collaboration Suite), \u043e\u0442 10.1.0 \u0434\u043e 10.1.4 (Zimbra Collaboration Suite)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes\t\nhttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "17.12.2024",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "10.04.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "10.04.2025",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-04092",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-25064",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Zimbra Collaboration Suite",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0438\u0441\u0430 ZimbraSyncService \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u043e\u0439 Zimbra Collaboration Suite, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0437\u0430\u043f\u0440\u043e\u0441\u0430 SQL (\u0430\u0442\u0430\u043a\u0438 \u0442\u0438\u043f\u0430 \\\"\u0432\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 SQL\\\") (CWE-89)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0438\u0441\u0430 ZimbraSyncService \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u043e\u0439 Zimbra Collaboration Suite \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0438\u0437-\u0437\u0430 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u044f \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b SQL-\u0437\u0430\u043f\u0440\u043e\u0441\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes\t\nhttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes\nhttps://wiki.zimbra.com/wiki/Main_Page",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-89",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}
FKIE_CVE-2025-25064
Vulnerability from fkie_nvd - Published: 2025-02-03 20:15 - Updated: 2025-06-11 21:18
Severity
Summary
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | * | |
| synacor | zimbra_collaboration_suite | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E603BD7A-730E-410C-BBE1-3E5A8DD2A72F",
"versionEndExcluding": "10.0.12",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55361360-9F77-4731-82AD-82E65E4C5AA0",
"versionEndExcluding": "10.1.4",
"versionStartIncluding": "10.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en ZimbraSyncService SOAP endpoint en Zimbra Collaboration 10.0.x anterior a 10.0.12 y 10.1.x anterior a 10.1.4."
}
],
"id": "CVE-2025-25064",
"lastModified": "2025-06-11T21:18:03.333",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-02-03T20:15:37.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-W8HM-78QP-V45P
Vulnerability from github – Published: 2025-02-03 21:31 – Updated: 2025-02-04 18:30
VLAI
Details
SQL injection vulnerability in the ZimbraSyncService SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4.
Severity
9.8 (Critical)
{
"affected": [],
"aliases": [
"CVE-2025-25064"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-03T20:15:37Z",
"severity": "CRITICAL"
},
"details": "SQL injection vulnerability in the ZimbraSyncService SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4.",
"id": "GHSA-w8hm-78qp-v45p",
"modified": "2025-02-04T18:30:48Z",
"published": "2025-02-03T21:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25064"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
NCSC-2025-0038
Vulnerability from csaf_ncscnl - Published: 2025-02-04 09:10 - Updated: 2025-02-04 09:10Summary
Kwetsbaarheden verholpen in Zimbra Collaboration
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Zimbra heeft meerdere kwetsbaarheden verholpen in Zimbra Collaboration.
Interpretaties: De kwetsbaarheden omvatten een SQL-injectie in de ZimbraSyncService SOAP-endpoint en een SSRF-kwetsbaarheid in de RSS-feedparser, die ongeautoriseerde toegang en manipulatie van de database mogelijk maakten, evenals ongeoorloofde omleiding naar interne netwerkeindpunten. Deze kwetsbaarheden kunnne leiden tot ongeautoriseerde toegang tot gevoelige gegevens en stelden interne bronnen bloot aan risico's.
Oplossingen: Zimbra heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-918: Server-Side Request Forgery (SSRF)
Affected products
Known affected
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
zimbra_collaboration_server
synacor
|
cpe:2.3:a:synacor:zimbra_collaboration_server:*:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:*:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.10:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.11:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.1:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.2:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.3:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.4:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.5:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.6:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.7:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.8:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.9:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.0:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.1:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.2:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.3:*:*:*:*:*:*:*
|
— | |
|
zimbra_collaboration
zimbra
|
cpe:2.3:a:zimbra:zimbra_collaboration:*:*:*:*:*:*:*:*
|
— |
CWE-89
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Affected products
Known affected
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
zimbra_collaboration_server
synacor
|
cpe:2.3:a:synacor:zimbra_collaboration_server:*:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:*:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.10:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.11:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.1:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.2:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.3:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.4:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.5:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.6:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.7:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.8:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.9:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.0:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.1:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.2:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.3:*:*:*:*:*:*:*
|
— | |
|
zimbra_collaboration
zimbra
|
cpe:2.3:a:zimbra:zimbra_collaboration:*:*:*:*:*:*:*:*
|
— |
CWE-918
- Server-Side Request Forgery (SSRF)
Affected products
Known affected
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
zimbra_collaboration_server
synacor
|
cpe:2.3:a:synacor:zimbra_collaboration_server:*:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:*:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.10:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.11:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.1:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.2:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.3:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.4:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.5:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.6:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.7:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.8:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.0.9:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.0:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.1:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.2:*:*:*:*:*:*:*
|
— | |
|
collaboration_suite
zimbra
|
cpe:2.3:a:zimbra:collaboration_suite:10.1.3:*:*:*:*:*:*:*
|
— | |
|
zimbra_collaboration
zimbra
|
cpe:2.3:a:zimbra:zimbra_collaboration:*:*:*:*:*:*:*:*
|
— |
References
7 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Zimbra heeft meerdere kwetsbaarheden verholpen in Zimbra Collaboration.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden omvatten een SQL-injectie in de ZimbraSyncService SOAP-endpoint en een SSRF-kwetsbaarheid in de RSS-feedparser, die ongeautoriseerde toegang en manipulatie van de database mogelijk maakten, evenals ongeoorloofde omleiding naar interne netwerkeindpunten. Deze kwetsbaarheden kunnne leiden tot ongeautoriseerde toegang tot gevoelige gegevens en stelden interne bronnen bloot aan risico\u0027s.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Zimbra heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference - cveprojectv5; nvd",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; nvd",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; nvd",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P43#Security_Fixes"
},
{
"category": "external",
"summary": "Reference - hkcert",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46"
}
],
"title": "Kwetsbaarheden verholpen in Zimbra Collaboration",
"tracking": {
"current_release_date": "2025-02-04T09:10:55.525420Z",
"id": "NCSC-2025-0038",
"initial_release_date": "2025-02-04T09:10:55.525420Z",
"revision_history": [
{
"date": "2025-02-04T09:10:55.525420Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "zimbra_collaboration_server",
"product": {
"name": "zimbra_collaboration_server",
"product_id": "CSAFPID-1659643",
"product_identification_helper": {
"cpe": "cpe:2.3:a:synacor:zimbra_collaboration_server:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "synacor"
},
{
"branches": [
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-583669",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757303",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.10:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757304",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.11:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661049",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.1:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661052",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.2:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661051",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.3:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661053",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.4:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661057",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.5:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661058",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.6:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661050",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.7:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1661055",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.8:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757302",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.0.9:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757305",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.1.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757306",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.1.1:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757307",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.1.2:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "collaboration_suite",
"product": {
"name": "collaboration_suite",
"product_id": "CSAFPID-1757308",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:collaboration_suite:10.1.3:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "zimbra_collaboration",
"product": {
"name": "zimbra_collaboration",
"product_id": "CSAFPID-1731223",
"product_identification_helper": {
"cpe": "cpe:2.3:a:zimbra:zimbra_collaboration:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "zimbra"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45516",
"product_status": {
"known_affected": [
"CSAFPID-1659643",
"CSAFPID-583669",
"CSAFPID-1757303",
"CSAFPID-1757304",
"CSAFPID-1661049",
"CSAFPID-1661052",
"CSAFPID-1661051",
"CSAFPID-1661053",
"CSAFPID-1661057",
"CSAFPID-1661058",
"CSAFPID-1661050",
"CSAFPID-1661055",
"CSAFPID-1757302",
"CSAFPID-1757305",
"CSAFPID-1757306",
"CSAFPID-1757307",
"CSAFPID-1757308",
"CSAFPID-1731223"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45516",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45516.json"
}
],
"title": "CVE-2024-45516"
},
{
"cve": "CVE-2025-25064",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1659643",
"CSAFPID-583669",
"CSAFPID-1757303",
"CSAFPID-1757304",
"CSAFPID-1661049",
"CSAFPID-1661052",
"CSAFPID-1661051",
"CSAFPID-1661053",
"CSAFPID-1661057",
"CSAFPID-1661058",
"CSAFPID-1661050",
"CSAFPID-1661055",
"CSAFPID-1757302",
"CSAFPID-1757305",
"CSAFPID-1757306",
"CSAFPID-1757307",
"CSAFPID-1757308",
"CSAFPID-1731223"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-25064",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-25064.json"
}
],
"title": "CVE-2025-25064"
},
{
"cve": "CVE-2025-25065",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1659643",
"CSAFPID-583669",
"CSAFPID-1757303",
"CSAFPID-1757304",
"CSAFPID-1661049",
"CSAFPID-1661052",
"CSAFPID-1661051",
"CSAFPID-1661053",
"CSAFPID-1661057",
"CSAFPID-1661058",
"CSAFPID-1661050",
"CSAFPID-1661055",
"CSAFPID-1757302",
"CSAFPID-1757305",
"CSAFPID-1757306",
"CSAFPID-1757307",
"CSAFPID-1757308",
"CSAFPID-1731223"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-25065",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-25065.json"
}
],
"title": "CVE-2025-25065"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…