CVE-2011-2150

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterStats version 6.0

Description The issue is related to an "XML injection" problem where the web server does not properly validate string data intended for storage in an XML document. This allows remote attackers to cause a denial of service, resulting in a parsing error and daemon pause. The attack vectors involve certain cookies in a SiteInfoLookup action to "Admin/frmSites.aspx", or certain cookies or parameters to "Client/frmViewOverviewReport.aspx", "Client/frmViewReports.aspx", or "Services/SiteAdmin.asmx".

Recommendations For SmarterTools SmarterStats version 6.0, consider disabling the XML parsing functionality until a patch is available. Restrict access to the affected API endpoints, such as "Admin/frmSites.aspx", "Client/frmViewOverviewReport.aspx", "Client/frmViewReports.aspx", and "Services/SiteAdmin.asmx", to minimize the risk of exploitation. Avoid using certain cookies or parameters in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.