JVN#63041502
Samba Web Administration Tool vulnerable to cross-site scripting
Overview
Samba Web Administration Tool contains a cross-site scripting vulnerability.
Products Affected
Samba Web Administration Tool (SWAT) contained in the following Samba versions are affected:
- Samba versions prior to 3.5.10
- Samba versions prior to 3.4.14
- Samba versions prior to 3.3.16
- Samba versions 3.0.x through 3.2.15
Description
Samba Web Administration Tool (SWAT) allows for Samba configuration through a web interface. SWAT contains a cross-site scripting vulnerability.
SWAT is disabled in a default configuration of Samba.
Impact
An arbitrary script may be executed on the web browser of a user that is logged into SWAT.
According to the developer, this vulnerability is exploitable only if JVN#29529126 is not addressed.
Solution
Update the software
Update to the latest version of Samba or apply the appropriate patch according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
nobuhiro tsuji of NTT DATA INTELLILINK CORPORATION reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2011-2694 |
| JVN iPedia |
JVNDB-2011-002111 |