Zimbra Daffodil 10.0.18 Security Update: XSS, LFI, CSRF, Path Traversal (CVE-2025-66376, CVE-2025-66645)

Key Vulnerability Summary Vulnerability Overview This release (Zimbra Daffodil 10.0.18) primarily addresses the following security vulnerabilities: 1. Stored XSS Vulnerability: Present in the Classic UI, where attackers can exploit CSS directives within email HTML. 2. Missing Path Validation: The API lacks path validation, potentially allowing unsafe file exports. 3. Missing CSRF Protection: Specific authentication flows lack Cross-Site Request Forgery (CSRF) protection. 4. Local File Inclusion (LFI): An unauthenticated LFI vulnerability exists within . Impact Scope (CVE-ID) CVE-2025-66376: Corresponds to the Classic UI Stored XSS vulnerability (CVSS Score: TBD). NA: Corresponds to the path validation issue in the ExportAndDeleteItemsRequest API (CVSS Score: NA). CVE-2026-33373: Corresponds to the CSRF issue in specific authentication flows (CVSS Score: TBD). CVE-2025-66645: Corresponds to the LFI vulnerability in RestFilter (CVSS Score: TBD). Remediation 1. Version Upgrade: Upgrade the system to Zimbra Daffodil 10.0.18. 2. Component Upgrades: Upgrade ClamAV package from 1.0.6 to 1.4.3. Upgrade Jetty package from 9.4.46.v20220331 to 9.4.57.v20241219. 3. Specific Package Updates: -> 10.0.18.1761913921-1 -> 10.0.18.1761913921-1 -> 10.0.18.1759693082-1 -> 10.0.18.1761912336-1 -> 10.0.18.1761913154-1 -> 10.0.18.1759856941-1 -> 10.0.18.1761926764-2 -> 10.0.18.1761926764-1 -> 10.0.18.1761926764-1 -> 10.0.18.1761926764-1 -> 10.0.18.1761926764-1 -> 4.49.2.1759913548-1 -> 4.49.2.1759913548-1 -> 1760359146-1 -> 1.4.3-121mbra8.8b4 -> 1.6.6-121mbra8.7b3 -> 10.0.1-121mbra8.8b1 -> 9.4.57.v20241219-2 POC / Exploit Code The provided screenshot does not contain specific POC code or exploit scripts.

Goal Reached Thanks to every supporter — we hit 100%!

Zimbra Daffodil 10.0.18 Security Update: XSS, LFI, CSRF, Path Traversal (CVE-2025-66376, CVE-2025-66645)