PRIOn knowledge basePRION:CVE-2009-2820Cross site scripting
5.2 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.009 Low
EPSS
Percentile
82.2%
The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the productโs web interface, (b) the configuration of the print system, and ยฉ the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.
References
lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
secunia.com/advisories/37308
secunia.com/advisories/37360
sunsolve.sun.com/search/document.do?assetkey=1-77-1021115.1-1
support.apple.com/kb/HT3937
www.cups.org/articles.php?L590
www.cups.org/documentation.php/relnotes.html
www.cups.org/str.php?L3367
www.mandriva.com/security/advisories?name=MDVSA-2010:072
www.mandriva.com/security/advisories?name=MDVSA-2010:073
www.redhat.com/support/errata/RHSA-2009-1595.html
www.securityfocus.com/bid/36956
www.vupen.com/english/advisories/2009/3184
bugzilla.redhat.com/show_bug.cgi?id=529833
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9153
Related
5.2 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.009 Low
EPSS
Percentile
82.2%