CVE-2009-2820

2009-11-0900:00:00

ubuntu.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.009 Low

EPSS

Percentile

82.4%

JSON

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before
10.6.2 and other platforms, does not properly handle (1) HTTP headers and
(2) HTML templates, which allows remote attackers to conduct cross-site
scripting (XSS) attacks and HTTP response splitting attacks via vectors
related to (a) the product’s web interface, (b) the configuration of the
print system, and © the titles of printed jobs, as demonstrated by an XSS
attack that uses the kerberos parameter to the admin program, and leverages
attribute injection and HTTP Parameter Pollution (HPP) issues.

OSVersionArchitecturePackageVersionFilename
ubuntu8.10noarchcups< 1.3.9-2ubuntu9.3UNKNOWN
ubuntu9.04noarchcups< 1.3.9-17ubuntu3.4UNKNOWN
ubuntu9.10noarchcups< 1.4.1-5ubuntu2.1UNKNOWN
ubuntu6.06noarchcupsys< 1.2.2-0ubuntu0.6.06.15UNKNOWN
ubuntu8.04noarchcupsys< 1.3.7-1ubuntu3.6UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.10	noarch	cups	< 1.3.9-2ubuntu9.3	UNKNOWN
ubuntu	9.04	noarch	cups	< 1.3.9-17ubuntu3.4	UNKNOWN
ubuntu	9.10	noarch	cups	< 1.4.1-5ubuntu2.1	UNKNOWN
ubuntu	6.06	noarch	cupsys	< 1.2.2-0ubuntu0.6.06.15	UNKNOWN
ubuntu	8.04	noarch	cupsys	< 1.3.7-1ubuntu3.6	UNKNOWN