CVE-2011-2159
CVE-2011-2159 is a critical-severity vulnerability in Smartertools Smarterstats with a CVSS 2.0 base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Critical (CVSS 2.0 base score 10.0)
- EPSS exploit prediction: 4% (90th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Smartertools Smarterstats
- Published:
- Last modified:
Description
The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/Defaults/frmDefaultSiteSettings.aspx, (2) Admin/Defaults/frmServerDefaults.aspx, (3) Admin/frmReportSettings.aspx, (4) Admin/frmSite.aspx, (5) App_Themes/Default/ButtonBarIcons.xml, (6) App_Themes/Default/Skin.xml, (7) Client/frmImportSettings.aspx, (8) Client/frmSeoSettings.aspx, (9) Services/Web.config, (10) aspnet_client/system_web/4_0_30319/, (11) clientaccesspolicy.xml, (12) cloudscan.exe, (13) crossdomain.xml, or (14) sitemap.xml. NOTE: it is possible that only clients, not the SmarterStats product, could be affected by this issue.
Frequently asked questions
- What is CVE-2011-2159?
- The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/Defaults/frmDefaultSiteSettings.aspx, (2) Admin/Defaults/frmServerDefaults.aspx, (3) Admin/frmReportSettings.aspx, (4) Admin/frmSite.aspx, (5) App_Themes/Default/ButtonBarIcons.xml, (6) App_Themes/Default/Skin.xml, (7) Client/frmImportSettings.aspx, (8) Client/frmSeoSettings.aspx, (9) Services/Web.config, (10) aspnet_client/system_web/4_0_30319/, (11) clientaccesspolicy.xml, (12) cloudscan.exe, (13) crossdomain.xml, or (14) sitemap.xml. NOTE: it is possible that only clients, not the SmarterStats product, could be affected by this issue.
- How severe is CVE-2011-2159?
- CVE-2011-2159 has a CVSS 2.0 base score of 10.0, rated critical severity.
- Is CVE-2011-2159 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 4% (90th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2011-2159?
- CVE-2011-2159 affects Smartertools Smarterstats. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2011-2159?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2011-2159 published?
- CVE-2011-2159 was published on 2011-05-20 and last updated on 2026-06-16.
References
- http://www.kb.cert.org/vuls/id/240150
- http://www.kb.cert.org/vuls/id/MORO-8GYQR4
- http://xss.cx/examples/smarterstats-60-oscommandinjection-directorytraversal-xml-sqlinjection.html.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67823
Affected products (1)
- cpe:2.3:a:smartertools:smarterstats:6.0:*:*:*:*:*:*:*
More vulnerabilities in Smartertools Smarterstats
- CVE-2011-4752 — Critical (CVSS 10.0): SmarterTools SmarterStats 6.2.4100 sends incorrect Content-Type headers for certain resources, which might allow remote…
- CVE-2011-2158 — Critical (CVSS 10.0): The SmarterTools SmarterStats 6.0 web server sends incorrect Content-Type headers for certain resources, which might…
- CVE-2011-2148 — Critical (CVSS 10.0): Admin/frmSite.aspx in the SmarterTools SmarterStats 6.0 web server allows remote attackers to execute arbitrary…
- CVE-2011-2155 — High (CVSS 7.5): Login.aspx in the SmarterTools SmarterStats 6.0 web server generates a ctl00$MPH$txtPassword password form field…
- CVE-2011-2149 — High (CVSS 7.5): Multiple SQL injection vulnerabilities in the SmarterTools SmarterStats 6.0 web server allow remote attackers to…
- CVE-2017-14620 — Medium (CVSS 6.1): SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP Logfiles from URL…