4.7

CVE-2025-67809

EPSS 0.04%
Veröffentlicht 15.12.2025 00:00:00
Zuletzt bearbeitet 30.12.2025 20:30:14
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zimbra ≫ Collaboration Version >= 10.0.0 < 10.1.13

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.114

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.7	1.6	2.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Vendor Advisory

https://wiki.zimbra.com/wiki/Security_Center

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-67809

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-67809

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-67809

EUVD