diff --git a/CHANGELOG.TXT b/CHANGELOG.TXT
index c5e99d82..b9a8d00d 100644
--- a/CHANGELOG.TXT
+++ b/CHANGELOG.TXT
@@ -10,8 +10,9 @@
 # Last update:
 # $Id$
 
-Changes since 2.3.6 release
+Version 2.3.7 - 2014/02/__ - SVN r16__ (postfixadmin-2.3 branch)
 ----------------------------------------------------------------
+  - SECURITY: fix SQL injection in show_gen_status()
   - lt.lang, da.lang translation update
   - when enabling/disabling a mailbox, also update the corresponding alias
   - fix creating superadmin in setup.php with MariaDB (more strict SQL)
diff --git a/functions.inc.php b/functions.inc.php
index 670be5ef..91ea2d25 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -16,7 +16,7 @@
  * Contains re-usable code.
  */
 
-$version = '2.3.6';
+$version = '2.3.7';
 
 /**
  * check_session
@@ -2175,6 +2175,8 @@ function gen_show_status ($show_alias)
     global $CONF, $table_alias;
     $stat_string = "";
 
+    $show_alias = escape_string($show_alias);
+
     $stat_goto = "";
     $stat_result = db_query ("SELECT goto FROM $table_alias WHERE address='$show_alias'");
     if ($stat_result['rows'] > 0)