logo_clicknbuy.png

CVE-2025-8264 – “Z-Push SQL Injection Vulnerability”

The following table lists the changes that have been made to the
CVE-2025-8264 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by [email protected]

    Jul. 29, 2025

    Action Type Old Value New Value
    Added Description Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and potentially modify or delete sensitive data from a linked third-party database.

    **Note:** This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured.

    Mitigation
    Change configuration to use the default or LDAP in backend/imap/config.php

    php
    define(‘IMAP_DEFAULTFROM’, ”);

    or
    php
    define(‘IMAP_DEFAULTFROM’, ‘ldap’);
    Added CVSS V4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-89
    Added Reference https://github.com/Z-Hub/Z-Push/blob/af25a2169a50d6e05a5916d1e8b2b6cd17011c98/src/backend/imap/user_identity.php%23L211C9-L214C25
    Added Reference https://github.com/Z-Hub/Z-Push/pull/161
    Added Reference https://github.com/Z-Hub/Z-Push/pull/161/commits/f981d515a35ac4c303959af21dce880a5db02786
    Added Reference https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180
    Added Reference https://xbow.com/blog/xbow-zpush-sqli/
Share the Post:

Related Posts