CVE-2011-2158

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterStats version 6.0

Description The issue concerns the SmarterTools SmarterStats web server sending incorrect Content-Type headers for certain resources. This could potentially allow remote attackers to leverage an interpretation conflict, affecting either clients or the SmarterStats product itself. The affected resources include specific API endpoints such as "Admin/frmSite.aspx", "Admin/frmSites.aspx", "Admin/frmViewReports.aspx", "App Themes/AboutThisFolder.txt", "Client/frmViewReports.aspx", "Temp/AboutThisFolder.txt", "default.aspx", "login.aspx", and certain ".jpg" URIs under "Temp/".

Recommendations For SmarterTools SmarterStats version 6.0, consider updating the Content-Type headers for the specified resources to prevent potential interpretation conflicts. As a temporary workaround, restrict access to the affected API endpoints, such as "Admin/frmSite.aspx", "Admin/frmSites.aspx", "Admin/frmViewReports.aspx", "Client/frmViewReports.aspx", "default.aspx", and "login.aspx", until a proper fix is applied. Additionally, limit access to the "App Themes/AboutThisFolder.txt", "Temp/AboutThisFolder.txt", and certain ".jpg" URIs under "Temp/" to minimize the risk of exploitation.