Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntuUbuntuUSN-6550-1
HistoryDec 12, 2023 - 12:00 a.m.

PostfixAdmin vulnerabilities

2023-12-1200:00:00
ubuntu.com
13
postfixadmin
ubuntu
vulnerabilities
smarty
moment.js
php injection
arbitrary code
denial of service
cross-site scripting
rfc 2822

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

69.2%

JSON

Releases

  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 ESM

Packages

  • postfixadmin - Virtual mail hosting interface for Postfix

Details

It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly sanitizing user input when generating templates. An
attacker could, through PHP injection, possibly use this issue to execute
arbitrary code. (CVE-2022-29221)

It was discovered that Moment.js, that is integrated in the PostfixAdmin
code, was using an inefficient parsing algorithm when processing date
strings in the RFC 2822 standard. An attacker could possibly use this
issue to cause a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2022-31129)

It was discovered that Smarty, that is integrated in the PostfixAdmin
code, was not properly escaping JavaScript code. An attacker could
possibly use this issue to conduct cross-site scripting attacks (XSS).
(CVE-2023-28447)

OSVersionArchitecturePackageVersionFilename
Ubuntu22.04noarchpostfixadmin< 3.3.10-2ubuntu0.1~esm1UNKNOWN
Ubuntu22.04noarchpostfixadmin< 3.3.10-2UNKNOWN
Ubuntu20.04noarchpostfixadmin< 3.2.1-3ubuntu0.1~esm1UNKNOWN
Ubuntu20.04noarchpostfixadmin< 3.2.1-3UNKNOWN
Ubuntu18.04noarchpostfixadmin< 3.0.2-2ubuntu0.1~esm1UNKNOWN
Ubuntu18.04noarchpostfixadmin< 3.0.2-2UNKNOWN

Related

osv 14
nessus 34
openvas 24
fedora 9
github 3
prion 4
debian 3
debiancve 3
ubuntu 2
mageia 4
veracode 3
cve 4
ubuntucve 3
githubexploit 1
ibm 34
redhat 28
hackerone 1
redhatcve 1
attackerkb 1
huntr 1
qualysblog 1
freebsd 1
atlassian 3
gentoo 1
oracle 5
osv
osv
postfixadmin vulnerabilities
2023-12-12 12:15:17
smarty3 - security update
2022-05-29 00:00:00
smarty Cross-site Scripting vulnerability in Javascript escaping
2023-03-29 18:31:35
nessus
nessus
Ubuntu 18.04 ESM / 20.04 ESM / 22.04 ESM : PostfixAdmin vulnerabilities (USN-6550-1)
2023-12-12 00:00:00
Ubuntu 22.04 LTS : Smarty vulnerability (USN-6012-1)
2023-04-13 00:00:00
Debian DLA-3033-1 : smarty3 - LTS security update
2022-05-31 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-6550-1)
2023-12-13 00:00:00
Debian: Security Advisory (DLA-3033-1)
2022-06-01 00:00:00
Fedora: Security Advisory for php-Smarty (FEDORA-2023-4b03f6cd8a)
2023-04-13 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: php-Smarty-3.1.48-1.fc36
2023-04-12 01:39:15
[SECURITY] Fedora 37 Update: php-Smarty-3.1.48-1.fc37
2023-04-12 01:34:31
[SECURITY] Fedora 38 Update: php-Smarty-3.1.48-1.fc38
2023-04-15 02:15:24
github
github
PHP Code Injection by malicious block or filename in Smarty
2022-05-25 20:15:02
smarty Cross-site Scripting vulnerability in Javascript escaping
2023-03-29 18:31:35
Moment.js vulnerable to Inefficient Regular Expression Complexity
2022-07-06 18:38:49
prion
prion
Code injection
2022-05-24 15:15:00
Design/Logic Flaw
2023-03-28 21:15:00
Input validation
2022-07-06 18:15:00
debian
debian
[SECURITY] [DLA 3033-1] smarty3 security update
2022-05-29 15:01:25
[SECURITY] [DLA 3295-1] node-moment security update
2023-01-30 21:29:16
[SECURITY] [DSA 5151-1] smarty3 security update
2022-05-29 14:57:57
debiancve
debiancve
CVE-2022-29221
2022-05-24 15:15:00
CVE-2023-28447
2023-03-28 21:15:11
CVE-2022-31129
2022-07-06 18:15:00
ubuntu
ubuntu
Smarty vulnerability
2023-04-13 00:00:00
Moment.js vulnerabilities
2022-08-10 00:00:00
mageia
mageia
Updated php-smarty packages fix security vulnerability
2022-06-13 23:44:20
Updated php-smarty packages fix security vulnerability
2023-04-24 03:20:26
Updated jupyter-notebook packages fix security vulnerabilities
2024-03-16 04:42:48
veracode
veracode
Arbitrary Code Injection
2022-05-25 05:09:41
Cross-Site Scripting (XSS)
2023-04-04 11:26:16
Regular Expression Denial Of Service (ReDoS)
2022-07-07 05:14:54
cve
cve
CVE-2022-29221
2022-05-24 15:15:00
CVE-2023-28447
2023-03-28 21:15:11
CVE-2022-31129
2022-07-06 18:15:00
ubuntucve
ubuntucve
CVE-2022-29221
2022-05-24 00:00:00
CVE-2023-28447
2023-03-28 00:00:00
CVE-2022-31129
2022-07-06 00:00:00
githubexploit
githubexploit
Exploit for Code Injection in Smarty
2022-05-25 06:02:23
ibm
ibm
Security Bulletin: A security vulnerability in Node.js moment affects IBM Cloud Pak for Watson AIOps Infrastructure Automation
2022-10-22 20:33:44
Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Moment denial of service (CVE-2022-31129)
2023-02-07 21:32:04
Security Bulletin: Vulnerability in Node.js moment affect IBM Cloud Pak System
2024-03-20 17:18:31
redhat
redhat
(RHSA-2022:6392) Important: RHV RHEL Host (ovirt-host) [ovirt-4.5.2] security update
2022-09-08 11:19:30
(RHSA-2022:5914) Moderate: Red Hat Kiali for OpenShift Service Mesh 2.1 security update
2022-08-08 08:12:25
(RHSA-2022:5915) Moderate: Red Hat Kiali for OpenShift Service Mesh 2.2 security update
2022-08-08 08:18:33
hackerone
hackerone
Nextcloud: [nextcloud/server] Moment.js vulnerable to Inefficient Regular Expression Complexity
2022-09-26 11:16:15
redhatcve
redhatcve
CVE-2022-31129
2022-07-07 20:44:44
attackerkb
attackerkb
CVE-2022-31129
2022-07-06 00:00:00
huntr
huntr
Regular Expression Denial of Service (ReDoS)
2022-06-06 11:09:00
qualysblog
qualysblog
Detection of Vulnerabilities in JavaScript Libraries
2023-01-16 11:46:18
freebsd
freebsd
mantis -- multiple vulnerabilities
2023-01-06 00:00:00
atlassian
atlassian
Upgrade moment library to 2.29.2+ as required for CVE-2022-24785 and CVE-2022-31129
2023-10-11 15:26:01
Upgrade moment library to 2.29.2+ as required for CVE-2022-24785 and CVE-2022-31129
2023-10-11 15:26:01
Upgrade moment library to 2.29.2+ for LTS version as required for CVE-2022-24785 and CVE-2022-31129
2023-03-27 07:30:38
gentoo
gentoo
Smarty: Multiple vulnerabilities
2022-09-25 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - October 2022
2022-10-18 00:00:00

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

69.2%

JSON
Related for USN-6550-1
osv14nessus34openvas24fedora9github3prion4debian3debiancve3ubuntu2mageia4veracode3cve4ubuntucve3githubexploit1ibm34redhat28hackerone1redhatcve1attackerkb1huntr1qualysblog1freebsd1atlassian3gentoo1oracle5