CVE-2011-4923 in BackupPC
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0, 3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the num parameter in a view action to index.cgi, related to the log file viewer, a different vulnerability than CVE-2011-3361.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/08/2025
The CVE-2011-4923 vulnerability represents a critical cross-site scripting flaw within BackupPC's web interface component, specifically affecting versions 3.0.0 through 3.2.1 and potentially earlier releases. This vulnerability resides in the View.pm module which handles the log file viewing functionality accessible through the index.cgi script. The flaw manifests when the application fails to properly sanitize user input passed through the num parameter during view actions, creating an exploitable entry point for malicious actors to inject arbitrary web scripts or HTML content directly into the application's response.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the BackupPC web application. When a user requests to view log files through the web interface, the application processes the num parameter to determine which log entries to display. However, the application does not adequately escape or filter special characters in this parameter before incorporating it into the HTML response sent to the victim's browser. This lack of proper sanitization allows attackers to craft malicious payloads that, when executed in a victim's browser, can perform unauthorized actions or steal sensitive information.
The operational impact of this vulnerability extends beyond simple script injection, as it enables attackers to leverage the compromised web interface for more sophisticated attacks. An attacker could inject malicious JavaScript code that redirects users to phishing sites, steals session cookies, or even executes commands on the victim's machine if the browser's security context allows such operations. The vulnerability affects the log file viewing functionality specifically, making it particularly dangerous since administrators often rely on these logs for monitoring system health and security incidents. A successful exploitation could allow attackers to manipulate log data, potentially obscuring their malicious activities or injecting false information that could mislead system administrators.
This vulnerability aligns with CWE-79, which defines the weakness of Cross-Site Scripting, and demonstrates how improper input handling can create persistent security risks within web applications. The attack vector follows the typical pattern described in the MITRE ATT&CK framework under the T1566 technique for initial access through web application attacks. The vulnerability's relationship to CVE-2011-3361, while different in scope, suggests a broader pattern of input validation weaknesses within the BackupPC application that may require comprehensive security review. Organizations using affected versions should immediately implement mitigations including input validation, output encoding, and proper parameter sanitization to prevent exploitation. The most effective immediate solution involves updating to patched versions of BackupPC where the input validation has been properly implemented to prevent unescaped data from being rendered in the browser context, thereby eliminating the XSS attack surface entirely.