8.8
CVE-2025-25064
- EPSS 34.36%
- Veröffentlicht 03.02.2025 20:15:37
- Zuletzt bearbeitet 11.06.2025 21:18:03
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Synacor ≫ Zimbra Collaboration Suite Version >= 10.0.0 < 10.0.12
Synacor ≫ Zimbra Collaboration Suite Version >= 10.1.0 < 10.1.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 34.36% | 0.982 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes