CVE-2025-52557

Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Mail-0/Zero/commit/48d1df65b62c9c57897b72b241081f447140342f
https://github.com/Mail-0/Zero/pull/1386
https://github.com/Mail-0/Zero/security/advisories/GHSA-34gh-g567-hq85

Configurations

No configuration.

History

23 Jun 2025, 20:16

Type	Values Removed	Values Added
Summary		(es) Zero de Mail-0 es una solución de correo electrónico de código abierto. En la versión 0.8, un atacante puede manipular un correo electrónico que ejecute JavaScript, lo que puede provocar el secuestro de la sesión debido a una depuración incorrecta. Este problema se ha corregido en la versión 0.81.

21 Jun 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-21 02:15

Updated : 2025-06-23 20:16

NVD link : CVE-2025-52557

Mitre link : CVE-2025-52557

CVE.ORG link : CVE-2025-52557

JSON object : View

Products Affected

No product.

CWE

CWE-1384

Improper Handling of Physical or Environmental Conditions

{"id": "CVE-2025-52557", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-21T02:15:20.107", "references": [{"url": "https://github.com/Mail-0/Zero/commit/48d1df65b62c9c57897b72b241081f447140342f", "source": "security-advisories@github.com"}, {"url": "https://github.com/Mail-0/Zero/pull/1386", "source": "security-advisories@github.com"}, {"url": "https://github.com/Mail-0/Zero/security/advisories/GHSA-34gh-g567-hq85", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1384"}]}], "descriptions": [{"lang": "en", "value": "Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81."}, {"lang": "es", "value": "Zero de Mail-0 es una soluci\u00f3n de correo electr\u00f3nico de c\u00f3digo abierto. En la versi\u00f3n 0.8, un atacante puede manipular un correo electr\u00f3nico que ejecute JavaScript, lo que puede provocar el secuestro de la sesi\u00f3n debido a una depuraci\u00f3n incorrecta. Este problema se ha corregido en la versi\u00f3n 0.81."}], "lastModified": "2025-06-23T20:16:21.633", "sourceIdentifier": "security-advisories@github.com"}