PT-2025-31175 · Unknown +1 · Z-Push-Dev +1

Xbow

Published

2025-07-29

Updated

2025-07-29

CVE-2025-8264

Report an issue

CVSS v3.1

9.0

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions:

z-push/z-push-dev versions prior to 2.7.6

Description:

The software is vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the `username` field in basic authentication, potentially allowing access to, and modification or deletion of, sensitive data from a linked third-party database. This issue affects Z-Push installations that utilize the IMAP backend and have the `IMAP FROM SQL QUERY` option configured.

Recommendations:

Change configuration to use the default or LDAP in backend/imap/config.php.

Set `IMAP DEFAULTFROM` to an empty string:

```php

define('IMAP DEFAULTFROM','');

```

Set `IMAP DEFAULTFROM` to 'ldap':

```php

define('IMAP DEFAULTFROM','ldap');

```

Fix

SQL injection

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2025-8264

GHSA-W832-W3P8-CW29

Affected Products

Z-Push

Z-Push-Dev

PT-2025-31175 · Unknown +1 · Z-Push-Dev +1

Weakness Enumeration

Related Identifiers

Affected Products

References · 14