From ${URL} : Postfixadmin has an SQL injection vulnerability. This vulnerability is only exploitable by authenticated users able to create new aliases. If the alias contains SQL code, the list-virtual.php overview triggers the vulnerability. The vulnerability was fixed upstream in this commit: http://sourceforge.net/p/postfixadmin/code/1650 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-2655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2655): SQL injection vulnerability in the gen_show_status function in functions.inc.php in Postfix Admin (aka postfixadmin) before 2.3.7 allows remote authenticated users to execute arbitrary SQL commands via a new alias.
*** This bug has been marked as a duplicate of bug 502270 ***