CVE-2025-67809

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67809

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67809.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67809

Published

2025-12-15T20:15:52.103Z

Modified

2026-04-10T05:34:51.400930Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.

References

Affected packages

Git / github.com/zimbra/zm-build

Affected ranges

Type

GIT

Repo

https://github.com/zimbra/zm-build

Events

Introduced

b68c7b31a1d94f94903a79c53f1bd316b792de1d

Fixed

1884e94c76d9602c75dff36c9ff9a5ec2224c582

Database specific

{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.1.13"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67809.json"