Vulnerability Details : CVE-2012-0811
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files generated by backup.php.
Vulnerability category: Sql Injection
Products affected by CVE-2012-0811
- cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.2.7:*:*:*:*:*:*:*
Threat overview for CVE-2012-0811
Top countries where our scanners detected CVE-2012-0811
Top open port discovered on systems with this issue
26
IPs affected by CVE-2012-0811 1
Find out if you* are
affected by CVE-2012-0811!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2012-0811
0.73%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-0811
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2012-0811
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0811
-
http://www.codseq.it/advisories/multiple_vulnerabilities_in_postfixadmin
CODSEQ : advisoriesExploit
-
http://www.openwall.com/lists/oss-security/2012/01/27/5
oss-security - Re: CVE request: PostfixAdmin SQL injections and XSS
-
https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3/CHANGELOG.TXT
-
http://www.securityfocus.com/bid/51680
Postfix Admin Multiple SQL Injection and Cross Site Scripting Vulnerabilities
-
http://www.openwall.com/lists/oss-security/2012/01/26/5
oss-security - CVE request: PostfixAdmin SQL injections and XSS
Jump to