CVE-2025-32354 Information
Apr 30, 2025
cve
Description
In Zimbra Collaboration (ZCS) 9.0 through 10.1 a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations such as modifying contacts changing account settings and accessing sensitive user data when an authenticated user visits a malicious website.
Reference
https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
Share on: