Vulnerability Description
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Synacor | Zimbra Collaboration Suite | >= 10.0.0, < 10.0.12 |
Related Weaknesses (CWE)
References
- https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_FixesRelease Notes
- https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_FixesRelease Notes
- https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
FAQ
What is CVE-2025-25064?
CVE-2025-25064 is a vulnerability with a CVSS score of 8.8 (HIGH). SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter...
How severe is CVE-2025-25064?
CVE-2025-25064 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-25064?
Check the references section above for vendor advisories and patch information. Affected products include: Synacor Zimbra Collaboration Suite.