Vulnerability CVE-2012-0811
Published: 2014-10-01

Description:
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files generated by backup.php.

Type:

CWE-89

 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Postfix -> Postfix 

 References:
https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3/CHANGELOG.TXT
http://www.securityfocus.com/bid/51680
http://www.openwall.com/lists/oss-security/2012/01/27/5
http://www.openwall.com/lists/oss-security/2012/01/26/5
http://www.codseq.it/advisories/multiple_vulnerabilities_in_postfixadmin
Copyright 2024, cxsecurity.com

 

Back to Top