CVE-2025-68645
Local File Inclusion in Zimbra Webmail Allows File Disclosure
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zimbra | collaboration | 10.1 |
| zimbra | collaboration | 10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the Webmail Classic UI of Zimbra Collaboration versions 10.0 and 10.1. It occurs because the RestFilter servlet improperly handles user-supplied request parameters. An unauthenticated remote attacker can send crafted requests to the /h/rest endpoint, which can manipulate internal request dispatching and cause arbitrary files from the WebRoot directory to be included.
How can this vulnerability impact me? :
The vulnerability can allow an unauthenticated remote attacker to include arbitrary files from the WebRoot directory, potentially exposing sensitive information, compromising confidentiality, integrity, and availability of the system. This can lead to data breaches, unauthorized access, and disruption of services.