NVD - CVE-2025-67809 (original) (raw)
Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-798 | Use of Hard-coded Credentials | CISA-ADP |
Known Affected Software Configurations Switch to CPE 2.2
Change History
3 change records found show changes
Initial Analysis by NIST 12/30/2025 3:30:14 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.1.13 | |
| Added | Reference Type | MITRE: https://wiki.zimbra.com/wiki/Security\_Center Types: Release Notes | |
| Added | Reference Type | MITRE: https://wiki.zimbra.com/wiki/Zimbra\_Responsible\_Disclosure\_Policy Types: Product | |
| Added | Reference Type | MITRE: https://wiki.zimbra.com/wiki/Zimbra\_Security\_Advisories Types: Vendor Advisory |
CVE Modified by CISA-ADP 12/15/2025 4:15:59 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | |
| Added | CWE | CWE-798 |
New CVE Received from MITRE 12/15/2025 3:15:52 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked. | |
| Added | Reference | https://wiki.zimbra.com/wiki/Security\_Center | |
| Added | Reference | https://wiki.zimbra.com/wiki/Zimbra\_Responsible\_Disclosure\_Policy | |
| Added | Reference | https://wiki.zimbra.com/wiki/Zimbra\_Security\_Advisories |