Wednesday , February 12 2025
Zimbra

Zimbra Releases Updates for SQL Injection, XSS, and SSRF Vulns

infosecbulletin 2 days ago Alert, Vulnerabilities

Zimbra has released updates for its Collaboration software to fix critical security flaws that could lead to information disclosure if exploited. CVE-2025-25064 is a critical vulnerability with a CVSS score of 9.8. It is an SQL injection issue in the ZimbraSync Service SOAP endpoint, affecting versions before 10.0.12 and 10.1.4.

Stemming from a lack of adequate sanitization of a user-supplied parameter, the shortcoming could be weaponized by authenticated attackers to inject arbitrary SQL queries that could retrieve email metadata by “manipulating a specific parameter in the request.”

Microsoft 2025 February Patch Tuesday fixes 2 zero-days, 55 flaws

By infosecbulletin / Wednesday , February 12 2025
Microsoft's February 2025 Patch Tuesday includes security updates for 55 vulnerabilities, including four zero-days, two of which are currently being...
Read More
Microsoft 2025 February Patch Tuesday fixes 2 zero-days, 55 flaws

Patch Now
SonicWall firewall vuln allows hackers to hijack VPN sessions

By infosecbulletin / Wednesday , February 12 2025
Bishop Fox security researchers have released detailed information on the CVE-2024-53704 vulnerability, which lets attackers bypass authentication in some versions...
Read More
Patch Now SonicWall firewall vuln allows hackers to hijack VPN sessions

SAP Security Patch February 2025: Multi Vulns Addressed

By infosecbulletin / Tuesday , February 11 2025
SAP has issued new security patches for 19 vulnerabilities and updated 2 previous Security Notes. This Patch Day features fixes...
Read More
SAP Security Patch February 2025: Multi Vulns Addressed

TRACKING RANSOMWARE
Akira Topped January 2025 as the Most Active Ransomware Threat

By infosecbulletin / Tuesday , February 11 2025
In January 2025, there were 510 global ransomware incidents, with Akira as the leading group and new ones like MORPHEUS...
Read More
TRACKING RANSOMWARE Akira Topped January 2025 as the Most Active Ransomware Threat

FinStealer Malware Targets Indian Bank’s Mobile Users, Stealing Credentials

By infosecbulletin / Tuesday , February 11 2025
CYFIRMA analysis reveals a sophisticated malware campaign that exploits a major Indian bank's brand through fake mobile apps. These apps,...
Read More
FinStealer Malware Targets Indian Bank’s Mobile Users, Stealing Credentials

CVE-2024-52875
Over 12,000 Firewall Vulnerable to 1-Click RCE Exploit

By infosecbulletin / Tuesday , February 11 2025
Over 1,200 firewall instances are vulnerable to a critical remote code execution issue, known as CVE-2024-52875. The vulnerability is found...
Read More
CVE-2024-52875 Over 12,000 Firewall Vulnerable to 1-Click RCE Exploit

CVE-2025-24200
Apple releases update of zero-day vuln exploited in the Wild

By infosecbulletin / Tuesday , February 11 2025
Apple has issued emergency security updates to fix a zero-day vulnerability, CVE-2025-24200, which is being exploited in targeted attacks on...
Read More
CVE-2025-24200 Apple releases update of zero-day vuln exploited in the Wild

Zimbra Releases Updates for SQL Injection, XSS, and SSRF Vulns

By infosecbulletin / Monday , February 10 2025
Zimbra has released updates for its Collaboration software to fix critical security flaws that could lead to information disclosure if...
Read More
Zimbra Releases Updates for SQL Injection, XSS, and SSRF Vulns

CVE-2025-23369
SAML Bypass Auth on GitHub Enterprise Servers to Login

By infosecbulletin / Monday , February 10 2025
A serious security vulnerability, CVE-2025-23369, has been found in GitHub Enterprise Server (GHES) that lets attackers bypass SAML authentication and...
Read More
CVE-2025-23369 SAML Bypass Auth on GitHub Enterprise Servers to Login

India to launch new domain name for banks to combat digital fraud

By infosecbulletin / Saturday , February 8 2025
India's central bank to launch a special “.bank.in” domain for banks in April 2025 to fight digital payment fraud and...
Read More
India to launch new domain name for banks to combat digital fraud

Zimbra announced it has fixed a critical stored cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client, but it has not yet received a CVE identifier.

“The fix strengthens input sanitization and enhances security,” the company said in an advisory, adding the issue has been fixed in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5.

Zimbra fixed a medium-severity vulnerability (CVE-2025-25065, CVSS score: 5.3) in its RSS feed parser. This server-side request forgery (SSRF) flaw could allow unauthorized access to internal network endpoints.

The security issue has been fixed in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4. Customers should update to the latest Zimbra Collaboration versions for better protection.

Check Also

12,000 Firewall

CVE-2024-52875
Over 12,000 Firewall Vulnerable to 1-Click RCE Exploit

Over 1,200 firewall instances are vulnerable to a critical remote code execution issue, known as …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2025, All Rights Reserved InfoSecBulletin