vulnerability
Zimbra Collaboration: CVE-2025-67809: Revoked and removed hardcoded Flickr API credentials from the Flickr Zimlet.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:H/Au:N/C:P/I:P/A:N) | Dec 15, 2025 | Jan 6, 2026 | Jan 6, 2026 |
Severity
4
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:N)
Published
Dec 15, 2025
Added
Jan 6, 2026
Modified
Jan 6, 2026
Description
An issue was discovered in zimbra collaboration (zcs) 10.0 and 10.1. a hardcoded flickr api key and secret are present in the publicly accessible flickr zimlet used by zimbra collaboration. because these credentials are embedded directly in the zimlet, any unauthorized party could retrieve them and misuse the flickr integration. an attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid flickr oauth flows. if a user is tricked into approving such a request, the attacker could gain access to the user s flickr data. the hardcoded credentials have since been removed from the zimlet code, and the associated key has been revoked.
Solution
zimbra-collaboration-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.