Skip to main content

Z-Push CVE-2025-8264

HIGH
SQL Injection (CWE-89)
2025-07-29 report@snyk.io
7.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:15 vuln.today

DescriptionCVE.org

Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and potentially modify or delete sensitive data from a linked third-party database. Note: This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap');

AnalysisAI

SQL injection in Z-Push IMAP backend allows unauthenticated remote attackers to access, modify, or delete data in linked third-party databases via malicious username values in basic authentication headers. Exploitation requires non-default IMAP_FROM_SQL_QUERY configuration. Publicly available exploit code exists (GitHub PR #161 demonstrates the vulnerability). CVSS 7.9 with network attack vector and no authentication required, though attack complexity increases due to the specific configuration prerequisite. Affects Z-Push versions before 2.7.6.

Technical ContextAI

Z-Push is a PHP-based open-source implementation of the Microsoft ActiveSync protocol for mobile device synchronization with email servers. The vulnerability resides in the IMAP backend component (backend/imap/user_identity.php, lines 211-214), where username values from HTTP basic authentication are directly interpolated into SQL queries without parameterization when IMAP_FROM_SQL_QUERY is configured. This represents a classic CWE-89 SQL injection flaw where user-controlled input (the username field in Authorization headers) flows unsanitized into database operations. The IMAP backend's user identity feature allows querying external SQL databases to retrieve email addresses for users, but the query construction lacks prepared statements or input validation. The vulnerable code path only executes when administrators have explicitly configured IMAP_FROM_SQL_QUERY to query a third-party database rather than using default settings or LDAP.

Affected ProductsAI

Z-Push versions before 2.7.6 are affected when the IMAP backend is enabled with IMAP_FROM_SQL_QUERY configured to query external SQL databases. The package identifier is z-push/z-push-dev in PHP/Composer ecosystems. Specifically, the vulnerability exists in backend/imap/user_identity.php in the user identity resolution code path. GitHub repository Z-Hub/Z-Push versions prior to commit f981d515a35ac4c303959af21dce880a5db02786 contain the vulnerable unparameterized query construction. Organizations using default IMAP_DEFAULTFROM settings or LDAP-based identity resolution are not affected even if running vulnerable versions. Advisory available at https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180 and technical analysis at https://xbow.com/blog/xbow-zpush-sqli/.

RemediationAI

Upgrade to Z-Push version 2.7.6 or later, which implements parameterized queries in the IMAP backend user identity code (fix available via GitHub PR #161, commit f981d515a35ac4c303959af21dce880a5db02786). For systems that cannot immediately upgrade, remove SQL injection attack surface by changing backend/imap/config.php to use default settings (define('IMAP_DEFAULTFROM', '');) or LDAP-based identity resolution (define('IMAP_DEFAULTFROM', 'ldap');) instead of IMAP_FROM_SQL_QUERY. This configuration change eliminates the vulnerable code path entirely but impacts functionality for deployments that rely on SQL database queries for user email address resolution - organizations must ensure alternative identity resolution mechanisms meet their operational requirements. If SQL-based identity resolution is business-critical and patching is delayed, implement input validation at the web server or reverse proxy layer to sanitize HTTP Authorization headers, though this is complex and error-prone compared to patching. Monitor database query logs for suspicious username patterns (SQL keywords, comment sequences, UNION statements) as a detection control. Vendor patch details: https://github.com/Z-Hub/Z-Push/pull/161.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-8264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy