Postfixadmin: Multiple vulnerabilities — GLSA 201209-18

Multiple vulnerabilities have been found in Postfixadmin which may lead to SQL injection or cross-site scripting attacks.

Affected Packages

www-apps/postfixadmin on all architectures
Affected versions < 2.3.5
Unaffected versions >= 2.3.5

Background

Postfixadmin is a web-based management tool for Postfix-style virtual domains and users.

Description

Multiple SQL injection vulnerabilities (CVE-2012-0811) and cross-site scripting vulnerabilities (CVE-2012-0812) have been found in Postfixadmin.

Impact

A remote attacker could exploit these vulnerabilities to execute arbitrary SQL statements or arbitrary HTML and script code.

Workaround

There is no known workaround at this time.

Resolution

All Postfixadmin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/postfixadmin-2.3.5"
 

References

Release Date
September 27, 2012

Latest Revision
September 27, 2012: 1

Severity
normal

Exploitable
remote

Bugzilla entries