Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Snare For Linux Cross Site Scripting

🗓️ 10 Dec 2012 00:00:00Reported by Andrew BrooksType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

Snare for Linux Cross-Site Scripting vulnerability via Log Injection. Upgrade to version 1.7.

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2011-5249
14 May 201419:00
cve
Cvelist		CVE-2011-5249
14 May 201419:00
cvelist
EUVD		EUVD-2011-5148
7 Oct 202500:30
euvd
NVD		CVE-2011-5249
14 May 201419:55
nvd
Prion		Cross site scripting
14 May 201419:55
prion
securityvulns		[email protected]
11 Dec 201200:00
securityvulns
securityvulns		Snare multiple security vulnerabilities
11 Dec 201200:00
securityvulns
Tenable Nessus		Snare Agent for Linux < 1.7.0 / 2.0.0 Multiple Vulnerabilities
24 Dec 201200:00
nessus
`Snare for Linux Cross-Site Scripting via Log Injection  
  
  
I. BACKGROUND  
----------------------  
Snare for Linux provides a 'C2' or 'CAPP' style audit   
subsystem for the Linux operating system. It can be  
used as a standalone auditing tool for Linux, or can   
send data to the Snare Server for analysis and storage.   
  
  
II. DESCRIPTION  
----------------------  
A cross-site scripting vulnerability has been discovered   
in the web interface for Snare for Linux. As part of   
Snare's intended functionality, one feature it provides  
is the logging of shell commands issued by a given user   
which are then available for viewing through the web   
interface. Due to the fact that this data was not validated  
before being sent to the browser in versions prior to 1.7.0,  
it is possible to inject JavaScript into the web console.  
  
  
III. AFFECTED PRODUCTS  
----------------------  
All versions of Snare for Linux prior to 1.7.0 are vulnerable.  
  
  
IV.  
----------------------  
Users should upgrade to version 1.7.0 of Snare for Linux.  
  
  
V. Credit  
----------------------  
This vulnerability was discovered by Andrew Brooks.  
  
  
VI. References  
----------------------  
CVE-2011-5249  
http://rpmfind.net/linux/RPM/sourceforge/s/sn/snare/Snare%20for%20Linux/1.7.0/SnareLinux-1.7.0-0.i386.html  
  
  
VII. Timeline  
----------------------  
7/11/11 - Vendor notification  
8/09/11 - Fixed and closed  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Dec 2012 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.00199
snare for linuxcross-site scriptinglog injectionupgradevulnerabilityandrew brookscve-2011-5249
27