PT-2025-51284 · Yahoo+1 · Flickr+1
Published
2025-12-15
·
Updated
2025-12-31
·
CVE-2025-67809
CVSS v3.1
4.7
Medium
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Zimbra Collaboration versions 10.0 and 10.1
Description
A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. An attacker with access to these credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user’s Flickr data. The hardcoded credentials have been removed from the Zimlet code, and the associated key has been revoked.
Recommendations
Update to a version where the hardcoded credentials have been removed.
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flickr
Zimbra Collaboration