Zimbra Daffodil v10.1.13 Security Patch Summary (CVE-2025-66376, LFI, XSS)

Zimbra Daffodil (v10.1.13) Security Fix Summary 1. Vulnerability Overview This update primarily addresses the following critical security vulnerabilities: Stored XSS (Classic UI): Attackers can abuse CSS directives within email HTML. Credential Leakage: Hardcoded Flickr API credentials exist within the Flickr Zimlet. Path Traversal/Unsafe File Export: The API lacks path validation. CSRF (Cross-Site Request Forgery): Missing CSRF enforcement checks in specific authentication flows. Unauthorized Local File Inclusion (LFI): An unauthorized access vulnerability exists within . PDF Preview XSS: The PDF preview feature in the Classic Web App contains a stored XSS risk. Information Leakage: may leak internal errors under malformed requests. Account Enumeration: An administrator account enumeration vulnerability exists. Dependency Risk: The Apache HttpClient library version is outdated. 2. Scope of Impact (CVE & CVSS) 3. Remediation Measures Classic UI XSS: Fixed the stored XSS vulnerability within the Classic UI. Credential Management: Revoked and removed hardcoded Flickr API credentials from the Flickr Zimlet. API Security: Implemented path validation in the API to prevent unsafe file exports. CSRF Fix: Addressed the missing CSRF enforcement in specific authentication flows. LFI Fix: Resolved the unauthorized local file inclusion vulnerability in . Feature Removal: Removed the PDF preview option in the Classic Web App to eliminate stored XSS risks associated with PDF attachments (switched to direct download). Input Validation: Added input validation and null checks in to prevent internal error leakage. Account Security: Resolved the administrator account enumeration issue. Dependency Upgrade: Upgraded the Apache HttpClient library to version 4.5.14. 4. POC / Exploit Code No POC Code Included: The page does not contain specific Proof of Concept (POC) or exploit code. Package Information: The "Packages" section at the bottom of the page only lists the upgraded dependency library versions (e.g., , , , etc.), not exploit code.

Goal Reached Thanks to every supporter — we hit 100%!

Zimbra Daffodil v10.1.13 Security Patch Summary (CVE-2025-66376, LFI, XSS)