Detections
Analytics

CVE-2025-32354

high

Description

In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.

References

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes

https://wiki.zimbra.com/wiki/Security_Center

Details

Source: Mitre, NVD

Published: 2025-04-29

Updated: 2025-04-29

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00017