4.3
CVSSv2

CVE-2014-2856

Published: 18/04/2014 Updated: 16/12/2017
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) prior to 1.7.2 allows remote malicious users to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function.

Affected Products

Vendor Product Versions
AppleCups1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.5-1, 1.1.5-2, 1.1.6, 1.1.6-1, 1.1.6-2, 1.1.6-3, 1.1.7, 1.1.8, 1.1.9, 1.1.9-1, 1.1.10, 1.1.10-1, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.1.20, 1.1.21, 1.1.22, 1.1.23, 1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7, 1.7.0, 1.7.1

Vendor Advisories

CUPS could be made to expose sensitive information over the network ...
A cross-site scripting (XSS) flaw was found in the CUPS web interface An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface ...
A cross-site scripting (XSS) flaw was found in the CUPS web interface An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface (CVE-2014-2856 ) It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/ A local user with the 'lp' ...