First published: Wed Oct 01 2014(Updated: )
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files generated by backup.php.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Postfix | <=2.3.4 | |
Postfix | =2.0.0 | |
Postfix | =2.0.1 | |
Postfix | =2.0.2 | |
Postfix | =2.0.3 | |
Postfix | =2.0.4 | |
Postfix | =2.0.5 | |
Postfix | =2.0.6 | |
Postfix | =2.0.7 | |
Postfix | =2.0.8 | |
Postfix | =2.0.9 | |
Postfix | =2.0.10 | |
Postfix | =2.0.11 | |
Postfix | =2.0.12 | |
Postfix | =2.0.13 | |
Postfix | =2.0.14 | |
Postfix | =2.0.15 | |
Postfix | =2.0.16 | |
Postfix | =2.0.17 | |
Postfix | =2.0.18 | |
Postfix | =2.0.19 | |
Postfix | =2.1.0 | |
Postfix | =2.1.1 | |
Postfix | =2.1.2 | |
Postfix | =2.1.3 | |
Postfix | =2.1.4 | |
Postfix | =2.1.5 | |
Postfix | =2.1.6 | |
Postfix | =2.2.0 | |
Postfix | =2.2.1 | |
Postfix | =2.2.2 | |
Postfix | =2.2.3 | |
Postfix | =2.2.4 | |
Postfix | =2.2.5 | |
Postfix | =2.2.6 | |
Postfix | =2.2.7 | |
Postfix | =2.2.8 | |
Postfix | =2.2.9 | |
Postfix | =2.2.10 | |
Postfix | =2.2.11 | |
Postfix | =2.2.12 | |
Postfix | =2.3 | |
Postfix | =2.3.1 | |
Postfix | =2.3.2 | |
Postfix | =2.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2012-0811 is considered to have a high severity due to its potential for remote authenticated SQL injection vulnerabilities.
To fix CVE-2012-0811, you should upgrade Postfix Admin to version 2.3.5 or later, which addresses the SQL injection vulnerabilities.
CVE-2012-0811 affects all versions of Postfix Admin prior to 2.3.5 that are used in environments configured with mysql_encrypt.
CVE-2012-0811 contains multiple SQL injection vulnerabilities that allow remote authenticated users to execute arbitrary SQL commands.
Yes, CVE-2012-0811 can be exploited remotely by authenticated users who leverage SQL injection techniques.