CVE-2002-0412

critical

Description

Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication.

References

http://www.securityfocus.com/bid/4225

http://www.osvdb.org/5307

http://www.iss.net/security_center/static/8347.php

http://snapshot.ntop.org/

http://online.securityfocus.com/archive/1/259642

http://marc.info/?l=bugtraq&m=101908224609740&w=2

http://marc.info/?l=bugtraq&m=101856541322245&w=2

http://marc.info/?l=bugtraq&m=101854261030453&w=2

http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html

http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0056.html

Details

Source: Mitre, NVD

Published: 2002-08-12

Updated: 2016-10-18

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical