CVE-2011-2694

Samba < 3.3.16 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page).

References (16)

[Third Party Advisory] http://jvn.jp/en/jp/JVN63041502/index.html

[Broken Link] http://osvdb.org/74072

[Vendor Advisory] http://samba.org/samba/history/samba-3.5.10.html

[Not Applicable, Vendor Advisory] http://secunia.com/advisories/45393

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/45488

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/45496

[Broken Link, Third Party Advisory, VDB Entry] http://securitytracker.com/id?1025852

[Third Party Advisory] http://ubuntu.com/usn/usn-1182-1

[Third Party Advisory] http://www.debian.org/security/2011/dsa-2290

[Broken Link, Third Party Advisory] http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c03008543

[Broken Link] http://www.mandriva.com/security/advisories?name=MDVSA-2011:121

[Vendor Advisory] http://www.samba.org/samba/security/CVE-2011-2694

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/48901

[Issue Tracking, Patch] https://bugzilla.redhat.com/show_bug.cgi?id=722537

[Issue Tracking, Patch] https://bugzilla.samba.org/show_bug.cgi?id=8289

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/68844

Scores

EPSS 0.0313

EPSS Percentile 86.7%

Classification

CWE

CWE-79

Status published

Affected Products (9)

samba/samba < 3.3.16

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

debian/debian_linux

debian/debian_linux

debian/debian_linux

n/a/n/a

Timeline

Published Jul 29, 2011

Tracked Since Feb 18, 2026