CVE-2025-67809
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zimbra | zimbra_collaboration | 10.0 |
| zimbra | zimbra_collaboration | 10.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves hardcoded Flickr API credentials embedded in the publicly accessible Flickr Zimlet of Zimbra Collaboration versions 10.0 and 10.1. Because these credentials are hardcoded and exposed, unauthorized parties can retrieve and misuse them to impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user approves such a malicious request, the attacker could gain access to the user's Flickr data.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to users' Flickr data if an attacker uses the exposed API credentials to impersonate the application and trick users into approving OAuth requests. This could result in data exposure or misuse of the user's Flickr account.
What immediate steps should I take to mitigate this vulnerability?
Immediate steps include updating the Zimbra Collaboration software to a version where the hardcoded Flickr API key and secret have been removed from the Flickr Zimlet code. Additionally, ensure that any exposed Flickr API keys are revoked and monitor for any unauthorized use of Flickr OAuth flows related to your environment.