CVE-2011-2694

NameCVE-2011-2694
DescriptionCross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2290-1
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)stretch2:4.5.16+dfsg-1+deb9u2fixed
stretch (security)2:4.5.16+dfsg-1+deb9u4fixed
buster2:4.9.5+dfsg-5fixed
buster (security)2:4.9.5+dfsg-5+deb10u2fixed
bullseye2:4.13.5+dfsg-2fixed
bullseye (security)2:4.13.13+dfsg-1~deb11u2fixed
bookworm, sid2:4.13.14+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasourcelenny2:3.2.5-4lenny15DSA-2290-1
sambasourcesqueeze2:3.5.6~dfsg-3squeeze5DSA-2290-1
sambasource(unstable)2:3.5.10~dfsg-1low

Search for package or bug name: Reporting problems