Description

Zimbra Collaboration contains a local file inclusion vulnerability caused by improper handling of user-supplied input in a REST servlet component. Due to insufficient validation of request parameters, an unauthenticated remote attacker can craft requests that force the application to include arbitrary files from within the web root directory.

Remediation

Upgrade Zimbra Collaboration Suite to the latest patched version and ensure all security updates are applied regularly.

References

Zimbra Patch Release

Zimbra Collaboration LFI PoC

Related Vulnerabilities

MySQL CVE-2016-5630 Vulnerability (CVE-2016-5630)

Oracle Application Server Other Vulnerability (CVE-2002-0947)

Dot CMS Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2016-8905)

OpenSSL Cryptographic Issues Vulnerability (CVE-2015-0205)

Magento Cryptographic Issues Vulnerability (CVE-2019-7858)

Severity

High

Classification

CVE-2025-68645 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Tags

File Inclusion Information Disclosure Known Vulnerabilities