Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.
References
wiki.zimbra.com/wiki/Zimbra_Security_Advisories
wiki.zimbra.com/wiki/Security_Center
wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
