Zimbra has issued crucial security patches addressing multiple vulnerabilities in its Collaboration software suite. The most severe flaw, identified as CVE-2025-25064, received a critical CVSS score of 9.8.

Key Vulnerabilities Addressed:

1. SQL Injection (CVE-2025-25064)
– Affects ZimbraSync Service SOAP endpoint
– Impacts versions before 10.0.12 and 10.1.4
– Allows authenticated attackers to retrieve email metadata
– Caused by insufficient parameter sanitization

2. Cross-Site Scripting (XSS)
– Affects Zimbra Classic Web Client
– Fixed in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5
– Improves input sanitization and security measures

3. Server-Side Request Forgery (CVE-2025-25065)
– CVSS score: 5.3 (medium severity)
– Impacts RSS feed parser component
– Enables unauthorized internal network access
– Patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4

Users are strongly recommended to upgrade to the latest version of Zimbra Collaboration to ensure system security and protection against these vulnerabilities.