Summary: Zimbra has released critical security updates to its Collaboration software addressing vulnerabilities that could potentially lead to information disclosure. Notable flaws include an SQL injection vulnerability (CVE-2025-25064) with a CVSS score of 9.8, and a stored XSS vulnerability, both of which have been patched in recent versions. Additionally, a medium-severity SSRF flaw (CVE-2025-25065) has also been addressed, urging users to upgrade to the latest versions for enhanced security.
Affected: Zimbra Collaboration software
Keypoints :
- CVEs 2025-25064 and 2025-25065 involve critical vulnerabilities posing risks of information disclosure and internal endpoint redirection.
- The SQL injection flaw affects ZimbraSync Service SOAP endpoint in versions prior to 10.0.12 and 10.1.4.
- Users are encouraged to update to the latest versions (9.0.0 Patch 44, 10.0.13, and 10.1.5) to ensure optimal protection.
Source: https://thehackernews.com/2025/02/zimbra-releases-security-updates-for.html