Zimbra Classic Web Client Flaw Allows Attackers to Execute Arbitrary JavaScript

Zimbra has released urgent security patches addressing multiple high-severity vulnerabilities in its Collaboration Suite, including critical SQL injection and stored cross-site scripting flaws that could compromise email systems.

Administrators must apply updates immediately to prevent potential data breaches and unauthorized access.

SQL Injection Vulnerability (CVE-2025-25064)

A critical SQL injection flaw (CVSS 9.8) was discovered in the ZimbraSync Service SOAP endpoint, allowing authenticated attackers to manipulate database queries and retrieve sensitive email metadata.

The vulnerability stems from inadequate sanitization of user-supplied parameters in requests. Successful exploitation could expose confidential communications and organizational data.

The flaw affects versions before 10.0.12 and 10.1.4, with patches now available in the February 2025 security updates.

This vulnerability requires immediate remediation due to its high exploit potential and impact on data confidentiality.

Stored XSS in Classic Web Client

Multiple stored cross-site scripting (XSS) vulnerabilities (CVE-2025-27915, CVE-2024-45516) were identified in the Zimbra Classic Web Client.

These flaws enable attackers to inject malicious scripts through crafted HTML content, which execute when victims interact with compromised elements like folder share notifications or contact lists.

The vulnerabilities bypassed previous security measures, necessitating enhanced input sanitization protocols.

Patches are available in:

• 9.0.0 Patch 44
• 10.0.13
• 10.1.5

Zimbra emphasizes that all customers must upgrade immediately, noting that delayed patching could lead to account takeover and credential theft.

The fixes remove the temporary zimbra_owasp_strip_alt_tags_with_handlers localconfig attribute, replacing it with robust HTML sanitization.

Additional Security Enhancements

Recent updates also address:

1. Server-Side Request Forgery (SSRF): CVE-2025-25065 (CVSS 5.3) in RSS feed parser allowing internal network redirection, fixed in 9.0.0 Patch 43 and 10.0.12.
2. Admin Console DoS Vulnerability: A denial-of-service flaw disrupting services, patched in 9.0.0 Patch 46 and 10.0.15.
3. Local File Inclusion (LFI): CVE-2024-54663 permitting unauthorized file access via /h/rest endpoint, resolved in 10.0.11 and 10.1.3.

Mitigation strategies include enabling two-factor authentication, avoiding untrusted links, and restricting GraphQL GET methods via zimbra_gql_enable_dangerous_deprecated_get_method_will_be_removed=FALSE configuration. Administrators should subscribe to Zimbra’s security advisory RSS feed for real-time alerts and apply patches through yum update . apt update.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post Zimbra Classic Web Client Flaw Allows Attackers to Execute Arbitrary JavaScript appeared first on Cyber Security News.