Remote authenticated domain admins can delete protected aliases in PostfixAdmin before 3.0.2 via missing permission check in AliasHandler component

CVE-2017-5930 · LOW Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.

Learn more about our Web Application Penetration Testing UK.