CVE-2009-2820

🗓️ 10 Nov 2009 19:00:00Reported by mitreType

cve🔗 web.nvd.nist.gov👁 93 Views🌐 WEB

The web interface in CUPS before 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks

Reporter	Title	Published	Views	Family All 78
Tenable Nessus	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	10 Nov 200900:00	–	nessus
Tenable Nessus	CUPS < 1.4.2 XSS	11 Nov 200900:00	–	nessus
Tenable Nessus	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	10 Nov 200900:00	–	nessus
Tenable Nessus	CentOS 5 : cups (CESA-2009:1595)	29 Jun 201300:00	–	nessus
Tenable Nessus	CUPS < 1.4.2 kerberos Parameter XSS	11 Nov 200900:00	–	nessus
Tenable Nessus	Debian DSA-1933-1 : cups - missing input sanitising	24 Feb 201000:00	–	nessus
Tenable Nessus	Fedora 11 : cups-1.4.2-7.fc11 (2009-10891)	1 Dec 200900:00	–	nessus
Tenable Nessus	Fedora 10 : cups-1.3.11-2.fc10 (2009-11062)	2 Dec 200900:00	–	nessus
Tenable Nessus	Fedora 12 : cups-1.4.2-7.fc12 (2009-11314)	1 Dec 200900:00	–	nessus
Tenable Nessus	Mac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities	9 Nov 200900:00	–	nessus

NVD

Node

apple mac_os_xRange≤10.6.1

apple mac_os_xMatch10.0

apple mac_os_xMatch10.0.0

apple mac_os_xMatch10.0.1

apple mac_os_xMatch10.0.2

apple mac_os_xMatch10.0.3

apple mac_os_xMatch10.0.4

apple mac_os_xMatch10.1

apple mac_os_xMatch10.1.0

apple mac_os_xMatch10.1.1

apple mac_os_xMatch10.1.2

apple mac_os_xMatch10.1.3

apple mac_os_xMatch10.1.4

apple mac_os_xMatch10.1.5

apple mac_os_xMatch10.2

apple mac_os_xMatch10.2.0

apple mac_os_xMatch10.2.1

apple mac_os_xMatch10.2.2

apple mac_os_xMatch10.2.3

apple mac_os_xMatch10.2.4

apple mac_os_xMatch10.2.5

apple mac_os_xMatch10.2.6

apple mac_os_xMatch10.2.7

apple mac_os_xMatch10.2.8

apple mac_os_xMatch10.3

apple mac_os_xMatch10.3.0

apple mac_os_xMatch10.3.1

apple mac_os_xMatch10.3.2

apple mac_os_xMatch10.3.3

apple mac_os_xMatch10.3.4

apple mac_os_xMatch10.3.5

apple mac_os_xMatch10.3.6

apple mac_os_xMatch10.3.7

apple mac_os_xMatch10.3.8

apple mac_os_xMatch10.3.9

apple mac_os_xMatch10.4

apple mac_os_xMatch10.4.0

apple mac_os_xMatch10.4.1

apple mac_os_xMatch10.4.2

apple mac_os_xMatch10.4.3

apple mac_os_xMatch10.4.4

apple mac_os_xMatch10.4.5

apple mac_os_xMatch10.4.6

apple mac_os_xMatch10.4.7

apple mac_os_xMatch10.4.8

apple mac_os_xMatch10.4.9

apple mac_os_xMatch10.4.10

apple mac_os_xMatch10.4.11

apple mac_os_xMatch10.5

apple mac_os_xMatch10.5.0

apple mac_os_xMatch10.5.1

apple mac_os_xMatch10.5.2

apple mac_os_xMatch10.5.3

apple mac_os_xMatch10.5.4

apple mac_os_xMatch10.5.5

apple mac_os_xMatch10.5.6

apple mac_os_xMatch10.5.7

apple mac_os_xMatch10.5.8

apple mac_os_xMatch10.6

Node

apple mac_os_x_serverRange≤10.6.1

apple mac_os_x_serverMatch10.0

apple mac_os_x_serverMatch10.0.0

apple mac_os_x_serverMatch10.0.1

apple mac_os_x_serverMatch10.0.2

apple mac_os_x_serverMatch10.0.3

apple mac_os_x_serverMatch10.0.4

apple mac_os_x_serverMatch10.1

apple mac_os_x_serverMatch10.1.0

apple mac_os_x_serverMatch10.1.1

apple mac_os_x_serverMatch10.1.2

apple mac_os_x_serverMatch10.1.3

apple mac_os_x_serverMatch10.1.4

apple mac_os_x_serverMatch10.1.5

apple mac_os_x_serverMatch10.2

apple mac_os_x_serverMatch10.2.0

apple mac_os_x_serverMatch10.2.1

apple mac_os_x_serverMatch10.2.2

apple mac_os_x_serverMatch10.2.3

apple mac_os_x_serverMatch10.2.4

apple mac_os_x_serverMatch10.2.5

apple mac_os_x_serverMatch10.2.6

apple mac_os_x_serverMatch10.2.7

apple mac_os_x_serverMatch10.2.8

apple mac_os_x_serverMatch10.3

apple mac_os_x_serverMatch10.3.0

apple mac_os_x_serverMatch10.3.1

apple mac_os_x_serverMatch10.3.2

apple mac_os_x_serverMatch10.3.3

apple mac_os_x_serverMatch10.3.4

apple mac_os_x_serverMatch10.3.5

apple mac_os_x_serverMatch10.3.6

apple mac_os_x_serverMatch10.3.7

apple mac_os_x_serverMatch10.3.8

apple mac_os_x_serverMatch10.3.9

apple mac_os_x_serverMatch10.4

apple mac_os_x_serverMatch10.4.0

apple mac_os_x_serverMatch10.4.1

apple mac_os_x_serverMatch10.4.2

apple mac_os_x_serverMatch10.4.3

apple mac_os_x_serverMatch10.4.4

apple mac_os_x_serverMatch10.4.5

apple mac_os_x_serverMatch10.4.6

apple mac_os_x_serverMatch10.4.7

apple mac_os_x_serverMatch10.4.8

apple mac_os_x_serverMatch10.4.9

apple mac_os_x_serverMatch10.4.10

apple mac_os_x_serverMatch10.4.11

apple mac_os_x_serverMatch10.5

apple mac_os_x_serverMatch10.5.0

apple mac_os_x_serverMatch10.5.1

apple mac_os_x_serverMatch10.5.2

apple mac_os_x_serverMatch10.5.3

apple mac_os_x_serverMatch10.5.4

apple mac_os_x_serverMatch10.5.5

apple mac_os_x_serverMatch10.5.6

apple mac_os_x_serverMatch10.5.7

apple mac_os_x_serverMatch10.5.8

apple mac_os_x_serverMatch10.6

Source	Link
support	www.support.apple.com/kb/HT3937
cups	www.cups.org/str.php
secunia	www.secunia.com/advisories/37360
lists	www.lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
mandriva	www.mandriva.com/security/advisories
vupen	www.vupen.com/english/advisories/2009/3184
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
securityfocus	www.securityfocus.com/bid/36956
sunsolve	www.sunsolve.sun.com/search/document.do
secunia	www.secunia.com/advisories/37308

Parameter	Position	Path	Description	CWE
kerberos	query param	/admin/	XSS/HTTP response splitting via kerberos parameter in CUPS web interface (admin) allowing attacker to inject scripts.	CWE-79

16 Jun 2026 23:10Current

6.8Medium risk

Vulners AI Score6.8

CVSS 24.3

EPSS0.0578

CWE-79