cbcvebase.
CVE-2013-0213
published 2013-02-02

CVE-2013-0213: The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct clickjacking…

PriorityP279medium5.1CVSS 2.0
AVNACHAuNCPIPAP
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
3.25%
86.8th percentile
The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct clickjacking attacks via a (1) FRAME or (2) IFRAME element.

Affected

146 ranges· showing 25
VendorProductVersion rangeFixed in
debiansamba< samba 2:3.6.6-5 (bookworm)samba 2:3.6.6-5 (bookworm)
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba

Detection & IOCsextracted from sources · hover to see the quote

  • The clickjacking attack vector requires the SWAT page to be embeddable via FRAME or IFRAME elements; detect absence of X-Frame-Options header on SWAT responses as an indicator of a vulnerable/unpatched instance
  • Attack is conducted by embedding the SWAT web interface in an attacker-controlled page using a FRAME or IFRAME element to trick authenticated users into changing Samba settings; monitor for cross-origin framing of SWAT (typically port 901)
  • Vulnerable Samba versions are 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2; use version detection to identify unpatched SWAT instances
  • ·The fix was applied in upstream commits for versions 4.0.2, 3.6.12, and 3.5.21; instances running older versions of SWAT remain exploitable for clickjacking
  • ·Samba upstream planned to remove SWAT entirely in Samba 4.1, so deployments still running SWAT on any version should be treated as high-risk
  • ·This issue also co-occurs with CVE-2013-0214 (CSRF in SWAT); both vulnerabilities affect the same component and should be remediated together

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv5.1MEDIUM
vulncheck5.1MEDIUM
vendor_debian5.1MEDIUM
vendor_redhat5.1MEDIUM
vendor_ubuntu5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.