CVE-2011-2694 — LOW (2.6) — White Hats Nepal

Q: How severe is CVE-2011-2694?

CVE-2011-2694 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-2694?

Check the references section above for vendor advisories and patch information. Affected products include: Samba Samba, Canonical Ubuntu Linux, Debian Debian Linux.

Vulnerability Description

Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page).

CVSS Score

2.6

LOW

AV:N/AC:H/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Samba	Samba	>= 3.0.0, < 3.3.16
Canonical	Ubuntu Linux	8.04
Debian	Debian Linux	5.0

Related Weaknesses (CWE)

CWE-79

References

http://jvn.jp/en/jp/JVN63041502/index.htmlThird Party Advisory
http://osvdb.org/74072Broken Link
http://samba.org/samba/history/samba-3.5.10.htmlVendor Advisory
http://secunia.com/advisories/45393Not ApplicableVendor Advisory
http://secunia.com/advisories/45488Not ApplicableThird Party Advisory
http://secunia.com/advisories/45496Not ApplicableThird Party Advisory
http://securitytracker.com/id?1025852Broken LinkThird Party AdvisoryVDB Entry
http://ubuntu.com/usn/usn-1182-1Third Party Advisory
http://www.debian.org/security/2011/dsa-2290Third Party Advisory
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c03008543Broken LinkThird Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2011:121Broken Link
http://www.samba.org/samba/security/CVE-2011-2694Vendor Advisory
http://www.securityfocus.com/bid/48901Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=722537Issue TrackingPatch
https://bugzilla.samba.org/show_bug.cgi?id=8289Issue TrackingPatch

FAQ

What is CVE-2011-2694?

CVE-2011-2694 is a vulnerability with a CVSS score of 2.6 (LOW). Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to i...

How severe is CVE-2011-2694?

CVE-2011-2694 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-2694?

Check the references section above for vendor advisories and patch information. Affected products include: Samba Samba, Canonical Ubuntu Linux, Debian Debian Linux.