CVE-2025-67809
MEDIUMZimbra Collaboration 10.0-10.1 < 10.1.13 - Hardcoded Flickr API Credentials in Zimlet
Title source: llmDescription
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.
References (3)
Core 3
Core References
Release Notes
https://wiki.zimbra.com/wiki/Security_Center
Vendor Advisory
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Scores
CVSS v3
4.7
EPSS
0.0024
EPSS Percentile
14.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-798
Status
published
Products (1)
zimbra/collaboration
10.0.0 - 10.1.13
Published
Dec 15, 2025
Tracked Since
Feb 18, 2026