Vulnerability Details : CVE-2014-2655
SQL injection vulnerability in the gen_show_status function in functions.inc.php in Postfix Admin (aka postfixadmin) before 2.3.7 allows remote authenticated users to execute arbitrary SQL commands via a new alias.
Vulnerability category: Sql Injection
Products affected by CVE-2014-2655
- cpe:2.3:a:postfix_admin_project:postfix_admin:*:*:*:*:*:*:*:*
- cpe:2.3:a:postfix_admin_project:postfix_admin:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:postfix_admin_project:postfix_admin:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:postfix_admin_project:postfix_admin:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:postfix_admin_project:postfix_admin:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:postfix_admin_project:postfix_admin:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:postfix_admin_project:postfix_admin:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:postfix_admin_project:postfix_admin:2.2.1.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-2655
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2655
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2014-2655
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2655
-
http://www.debian.org/security/2014/dsa-2889
Debian -- Security Information -- DSA-2889-1 postfixadmin
-
http://lists.opensuse.org/opensuse-updates/2014-05/msg00075.html
openSUSE-SU-2014:0715-1: moderate: PostfixAdmin: update to 2.3.7
-
http://www.openwall.com/lists/oss-security/2014/03/26/6
oss-security - CVE request: postfixadmin SQL injection vulnerability
-
http://www.securityfocus.com/bid/66455
Postfix Admin 'functions.inc.php' SQL Injection Vulnerability
-
http://www.openwall.com/lists/oss-security/2014/03/26/11
oss-security - Re: CVE request: postfixadmin SQL injection vulnerability
-
http://sourceforge.net/p/postfixadmin/code/1650
Postfix Admin / Code (old SVN) / Commit [r1650]Exploit;Patch
Jump to