Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN465 _____________________________________________________________________ DATE : 23/07/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zimbra Collaboration Suite versions prior to 10.0.16, 10.1.10. ===================================================================== https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories _____________________________________________________________________ Zimbra Collaboration - Security Vulnerability Advisories Note: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. (going back to ZCS 7.1.3) Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version Reporter Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the ResetPasswordRequest SOAP operation by enforcing CSRF token validation. CVE-2025-54390 TBD - 10.0.16 10.1.10 A security fix has been applied to require a valid auth token before allowing 2FA modifications, preventing unauthorized changes. CVE-2025-54391 TBD - 10.0.16 10.1.10 Ashish Kataria Access to the GraphiQL IDE at /modern/graphiql has been disabled. - 10.1.10 The @babel/runtime package has been upgraded to version 7.27.6 to address a ReDoS vulnerability. CVE-2025-27789 - 10.1.10 The Rsync package has been upgraded to version 3.4.1 to fix multiple vulnerabilities. - 10.1.10 Write access to /opt/zimbra/jetty/webapps has been restricted to enhance security and mitigate potential risks. - 10.0.16 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================