CUPS Web Interface Cross Site Scripting Vulnerability Network Vulnerability

Summary

This host is installed with CUPS and is prone to cross site scripting vulnerability

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to version 1.7.2, or higher, For updates refer to http://www.cups.org/software.php

Insight

Flaws is due to is_path_absolute() function does not validate input via URL path before returning it to users.

Affected

Common Unix Printing System (CUPS) version before 1.7.2

Detection

Send a crafted data via HTTP GET request and check whether it is able to get domain or not.

References

http://osvdb.org/105715
http://secunia.com/advisories/57880/
http://www.cups.org/str.php?L4356
http://www.openwall.com/lists/oss-security/2014/04/14/2

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-2856

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
AdaptCMS 'init.php' Remote File Include Vulnerability
Apache Continuum Cross Site Scripting Vulnerability
Apache Open For Business HTML injection vulnerability
/doc directory browsable ?

Take action and discover your vulnerabilities