QwikSec

Security Database

CVE

CWE

Training

CVE-2009-2820

Published: Nov 10, 2009

Modified: Aug 7, 2024

PUBLISHED

Description

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://www.cups.org/str.php?L3367

x_refsource_CONFIRM

vendor-advisory

x_refsource_SUNALERT

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_MANDRIVA

vdb-entry

x_refsource_BID

third-party-advisory

x_refsource_SECUNIA

https://bugzilla.redhat.com/show_bug.cgi?id=529833

x_refsource_CONFIRM

third-party-advisory

x_refsource_SECUNIA

vendor-advisory

x_refsource_MANDRIVA

oval:org.mitre.oval:def:9153

vdb-entry

signature

x_refsource_OVAL

http://www.cups.org/documentation.php/relnotes.html

x_refsource_CONFIRM

vdb-entry

x_refsource_VUPEN

http://www.cups.org/articles.php?L590

x_refsource_CONFIRM

APPLE-SA-2009-11-09-1

vendor-advisory

x_refsource_APPLE

http://support.apple.com/kb/HT3937

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.