Rapid7 Vulnerability & Exploit Database

USN-856-1: CUPS vulnerability

Back to Search

USN-856-1: CUPS vulnerability

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
11/10/2009
Created
07/25/2018
Added
05/06/2013
Modified
07/09/2020

Description

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.

Solution(s)

  • ubuntu-upgrade-cups
  • ubuntu-upgrade-cupsys

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;