Summary
An SQL injection vulnerability was discovered in postfixadmin, a web administration interface for the Postfix Mail Transport Agent, which allowed authenticated users to make arbitrary manipulations to the database.
The oldstable distribution (squeeze) does not contain postfixadmin.
Solution
For the stable distribution (wheezy), this problem has been fixed in version 2.3.5-2+deb7u1.
For the testing distribution (jessie), and unstable distribution (sid), this problem has been fixed in version 2.3.5-3.
We recommend that you upgrade your postfixadmin packages.
Insight
Postfixadmin is a web interface to manage virtual users and domains for a Postfix mail transport agent. It supports Virtual mailboxes, aliases, forwarders and vacation.
Affected
postfixadmin on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-2655 -
CVSS Base Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Related Vulnerabilities