CVE-2025-32354

Опубликовано: 29 апр. 2025

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.

Ссылки

https://wiki.zimbra.com/wiki/Security_Center
Vendor Advisory
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes
Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*

Версия от 9.0.0 (включая) до 10.1.4 (исключая)

EPSS

Процентиль: 8%

0.0003

Низкий

8.8 High

CVSS3

Дефекты

CWE-352

Связанные уязвимости

GHSA-59f6-q63c-5833

CVSS3: 8.8

github

9 месяцев назад

BDU:2025-12727

CVSS3: 6.5

fstec