Missing Authorization in postfixadmin - CVE-2017-5930
Published: August 3, 2020 / Updated: August 4, 2020
Vulnerability identifier: #VU32995
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2017-5930
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: postfixadmin.com
Affected software:
postfixadmin
postfixadmin
Detailed vulnerability description
The vulnerability allows a remote user to bypass authorization process.
The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.
How to mitigate CVE-2017-5930
Install updates from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-updates/2017-02/msg00076.html
- http://www.openwall.com/lists/oss-security/2017/02/08/1
- http://www.openwall.com/lists/oss-security/2017/02/09/1
- http://www.securityfocus.com/bid/96142
- https://github.com/postfixadmin/postfixadmin/blob/postfixadmin-3.0.2/CHANGELOG.TXT
- https://github.com/postfixadmin/postfixadmin/pull/23
- https://sourceforge.net/p/postfixadmin/mailman/message/35646827/