Primary

Context

Zimbra Collaboration SQL Injection Vulnerability in ZimbraSync Service SOAP Endpoint

Vulnerability

Patched

A SQL injection vulnerability has been identified in the ZimbraSync Service SOAP endpoint of Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This vulnerability arises from inadequate sanitization of user-supplied parameters, allowing authenticated attackers to manipulate requests and inject arbitrary SQL queries that could be used to retrieve email metadata.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can inject and execute malicious SQL queries. This could potentially lead to unauthorized access to email metadata or other sensitive information stored in the database.

Remediation

Users can upgrade to Zimbra Collaboration version 10.0.12 or 10.1.4 to address this vulnerability. Instructions for upgrading Zimbra can be found on the Zimbra website.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.9

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.9

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zimbra Collaboration SQL Injection Vulnerability in ZimbraSync Service SOAP Endpoint

Vulnerability

Impact

Remediation

Affected Products

Zimbra Collaboration

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating