CVE-2025-32354

Published Apr 29, 2025

Last updated 9 months ago

CVSS high 8.8

Overview

Description
In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.
Source
cve@mitre.org
NVD status
Analyzed
Products
zimbra_collaboration_suite

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-352

Social media

Hype score
Not currently trending

  1. 🔴 Zimbra Collaboration, CSRF, #CVE-2025-32354 (Critical) https://t.co/VsECQWw37I

    @dailycve

    12 Jun 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. A critical CSRF vulnerability (CVE-2025-32354) in Zimbra Collaboration Suite (versions 9.0 to 10.1) allows session hijacking and data theft. Users urged to upgrade for protection. ⚠️ #Zimbra #EmailSecurity #USA link: https://t.co/emeoRgxL5n https://t.co/xppHys5ohn

    @TweetThreatNews

    1 May 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚠️ Vulnerability Alert: Zimbra Collaboration Suite GraphQL CSRF Vulnerability (CVE-2025-32354) 📅 Timeline: Disclosure: 2025-04-29, Patch: 2025-05-01 (Zimbra 10.1.4) 🆔 **CVE ID:** CVE-2025-32354 📊 **CVSS Severity:** High 🟠 📂 **Affected Versions:** -

    @syedaquib77

    30 Apr 2025

    30 Impressions

    0 Retweets

    1 Like

    2 Bookmarks

    1 Reply

    0 Quotes

  4. CVE-2025-32354 In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbr… https://t.co/BArDqj1yGy

    @CVEnew

    29 Apr 2025

    287 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion VulnerabilityCVE-2025-68645
  2. An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.CVE-2025-48700
  3. An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.CVE-2024-45516
  4. Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting VulnerabilityCVE-2025-27915
  5. SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints.CVE-2025-25065

References

Sources include official advisories and independent security research.