CVE-2009-2820

2009-11-1019:30:00

CWE-79

[email protected]

web.nvd.nist.gov

cups

web interface

xss attacks

http response splitting attacks

cve-2009-2820

security vulnerability

nvd

5 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.009 Low

EPSS

Percentile

82.4%

JSON

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product’s web interface, (b) the configuration of the print system, and © the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.

CPENameOperatorVersion
apple:mac_os_xapple mac os xeq10.5.8
apple:mac_os_xapple mac os xeq10.4.3
apple:mac_os_xapple mac os xeq10.2.5
apple:mac_os_xapple mac os xeq10.2.7
apple:mac_os_xapple mac os xeq10.0.2
apple:mac_os_xapple mac os xeq10.2.8
apple:mac_os_xapple mac os xeq10.2.1
apple:mac_os_xapple mac os xeq10.5.6
apple:mac_os_xapple mac os xeq10.3.1
apple:mac_os_xapple mac os xeq10.3.5

CPE	Name	Operator	Version
apple:mac_os_x	apple mac os x	eq	10.5.8
apple:mac_os_x	apple mac os x	eq	10.4.3
apple:mac_os_x	apple mac os x	eq	10.2.5
apple:mac_os_x	apple mac os x	eq	10.2.7
apple:mac_os_x	apple mac os x	eq	10.0.2
apple:mac_os_x	apple mac os x	eq	10.2.8
apple:mac_os_x	apple mac os x	eq	10.2.1
apple:mac_os_x	apple mac os x	eq	10.5.6
apple:mac_os_x	apple mac os x	eq	10.3.1
apple:mac_os_x	apple mac os x	eq	10.3.5