Executive Summary

Informations
Name CVE-2025-8264 First vendor Publication 2025-07-29
Vendor Cve Last vendor Modification 2025-07-29

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and potentially modify or delete sensitive data from a linked third-party database. **Note:** This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap');

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8264

Sources (Detail)

https://github.com/Z-Hub/Z-Push/blob/af25a2169a50d6e05a5916d1e8b2b6cd17011c98...
https://github.com/Z-Hub/Z-Push/pull/161
https://github.com/Z-Hub/Z-Push/pull/161/commits/f981d515a35ac4c303959af21dce...
https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180
https://xbow.com/blog/xbow-zpush-sqli/
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2025-07-30 02:41:07
  • Multiple Updates
2025-07-30 02:41:06
  • Multiple Updates
2025-07-29 21:20:36
  • Multiple Updates
2025-07-29 13:20:41
  • First insertion