header-logo
Suggest Exploit
vendor:
CUPS
by:
SecurityFocus
8.8
CVSS
HIGH
Cross-Site Scripting
79
CWE
Product Name: CUPS
Affected Version From: Prior to CUPS 1.4.2
Affected Version To: Prior to CUPS 1.4.2
Patch Exists: YES
Related CWE: N/A
CPE: a:apple:cups
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Mac OS X
2009

CUPS Cross-Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Mitigation:

Users should avoid following untrusted links and should never enter sensitive information into a web page unless it is known to be secure.
Source

Exploit-DB raw data:

Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI.

The following example URI is available:

http://www.example.com/admin/?kerberos=onmouseover=alert





source: https://www.securityfocus.com/bid/36958/info

CUPS is prone to a cross-site scripting vulnerability because the software fails to sufficiently sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

NOTE: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.

This issue affects versions prior to CUPS 1.4.2.