This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
The Postfix Admin Team reports :
Multiple XSS vulnerabilities exist : - XSS with $_GET[domain] in
templates/menu.php and edit-vacation - XSS in some create-domain input
fields - XSS in create-alias and edit-alias error message - XSS (by
values stored in the database) in fetchmail list view, list-domain and
Multiple SQL injection issues exist : - SQL injection in pacrypt() (if
$CONF[encrypt] == 'mysql_encrypt') - SQL injection in backup.php - the
dump was not mysql_escape()d, therefore users could inject SQL (for
example in the vacation message) which will be executed when restoring
the database dump. WARNING: database dumps created with backup.php
from 2.3.4 or older might contain malicious SQL. Double-check before
See also :
Update the affected package.
Risk factor :
Medium / CVSS Base Score : 6.5