CVE-2025-67809

MEDIUM

Zimbra Collaboration < 10.1.13 - Hard-coded Credentials

Title source: rule

Description

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.

References (3)

[Release Notes] https://wiki.zimbra.com/wiki/Security_Center

[Product] https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

[Vendor Advisory] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Scores

CVSS v3 4.7

EPSS 0.0005

EPSS Percentile 15.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-798

Status published

Products (1)

zimbra/collaboration 10.0.0 - 10.1.13

Published Dec 15, 2025

Tracked Since Feb 18, 2026