CVE-2025-25064

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-25064
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
History

11 Jun 2025, 21:18

Type Values Removed Values Added
References () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes - () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes - Release Notes
References () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes - () https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes - Release Notes
References () https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories - () https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories - Vendor Advisory
First Time Synacor
Synacor zimbra Collaboration Suite
CPE cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*

14 Mar 2025, 18:15

Type Values Removed Values Added
CWE CWE-89
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8

18 Feb 2025, 19:15

Type Values Removed Values Added
CWE CWE-89
CVSS v2 : unknown
v3 : 9.8 		v2 : unknown
v3 : unknown

06 Feb 2025, 20:15

Type Values Removed Values Added
Summary (en) SQL injection vulnerability in the ZimbraSyncService SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4. (en) SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.

04 Feb 2025, 16:15

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de inyección SQL en ZimbraSyncService SOAP endpoint en Zimbra Collaboration 10.0.x anterior a 10.0.12 y 10.1.x anterior a 10.1.4.
CWE CWE-89
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

03 Feb 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-03 20:15

Updated : 2025-06-11 21:18

NVD link : CVE-2025-25064

Mitre link : CVE-2025-25064

CVE.ORG link : CVE-2025-25064

JSON object : View

Products Affected

synacor

  • zimbra_collaboration_suite
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')