Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-5930 — Missing Authorization in Project Postfixadmin

CWE-862 — Missing Authorization6 documents6 sources

Severity

2.7LOWNVD

EPSS

39.9%

top 2.66%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Postfixadmin Postfixadmin Project Postfixadmin Debian Postfixadmin +1 more

Timeline

PublishedMar 20

Latest updateMay 13

Description

The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/postfixadmin< postfixadmin 3.0.2-1 (bookworm)

▶NVDpostfixadmin_project/postfixadmin< 3.0.2

▶Debianpostfixadmin/postfixadmin< 3.0.2-1+2

▶NVDopensuse/leap42.1, 42.2+1

Patches

Patch: github.com ↗Patch: sourceforge.net ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-xgfq-m22c-vpjj: The AliasHandler component in PostfixAdmin before 3↗2022-05-13

▶

OSV

CVE-2017-5930: The AliasHandler component in PostfixAdmin before 3↗2017-03-20

▶

VulnCheck

opensuse leap Missing Authorization↗2017

▶

💥Exploits & PoCs

Metasploit

Postfixadmin Protected Alias Deletion Vulnerability↗

▶

📋Vendor Advisories

Debian

CVE-2017-5930: postfixadmin - The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authentica...↗2017

▶