Page 3 of 16 results (0.008 seconds)

CVSS: 6.8EPSS: 1%CPEs: 9EXPL: 0

Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow. Desbordamiento de enteros en la función cupsRasterReadPixels en filter/raster.c en CUPS anterior a 2.0.2 permite a atacantes remotos tener un impacto no especificado a través de un fichero de raster comprimido malformado, lo que provoca un desbordamiento de buffer. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way CUPS handled compressed raster image files. An attacker could create a specially crafted image file that, when passed via the CUPS Raster filter, could cause the CUPS filter to crash. • http://advisories.mageia.org/MGASA-2015-0067.html http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150171.html http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150177.html http://lists.opensuse.org/opensuse-updates/2015-02/msg00098.html http://rhn.redhat.com/errata/RHSA-2015-1123.html http://www.debian.org/security/2015/dsa-3172 http://www.mandriva.com/security/advisories?name=MDVSA-2015:049 http://www.mandriva.com/security/advisories?name=MDVSA-201 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0

CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. CUPS anterior a 2.0 permite a usuarios locales leer ficheros arbitrarios a través de un ataque de enlace simbólico sobre (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc o (6) index.py. It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. • http://advisories.mageia.org/MGASA-2014-0313.html http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/60509 http://secunia.com/advisories/60787 http://www.debian.org/security/2014/dsa-2990 http://www.mandriva.com/security/advisories?name=MDVSA-2015:108 http://www.openwall.com/lists/oss-security/2014/07/22/13 http://www.openwall.com/lists/oss-security/2014/07/22/2 http://www.ubuntu.com/usn/USN-2341-1 https://cups.org/str.php • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0

The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors. La interfaz web en CUPS anterior a 2.0 no comprueba que los ficheros tienen permisos de lectura universal, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. • http://advisories.mageia.org/MGASA-2014-0313.html http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/60509 http://secunia.com/advisories/60787 http://www.debian.org/security/2014/dsa-2990 http://www.mandriva.com/security/advisories?name=MDVSA-2015:108 http://www.openwall.com/lists/oss-security/2014/07/22/13 http://www.openwall.com/lists/oss-security/2014/07/22/2 http://www.ubuntu.com/usn/USN-2341-1 https://cups.org/str.php • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0

The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/. La interfaz web en CUPS anterior a 1.7.4 permite a usuarios locales en el grupo lp leer ficheros arbitrarios a través de un ataque de enlace simbólico sobre un fichero en /var/cache/cups/rss/. It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. • http://advisories.mageia.org/MGASA-2014-0313.html http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/59945 http://secunia.com/advisories/60273 http://secunia.com/advisories/60787 http://www.cups.org/blog.php?L724 http://www.cups.org/str.php?L4450 http://www.mandriva.com/security/advisories?name=MDVSA-2015 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 4.3EPSS: 0%CPEs: 111EXPL: 0

Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function. Vulnerabilidad de XSS en scheduler/client.c en Common Unix Printing System (CUPS) anterior a 1.7.2 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de la ruta de URL, relacionado con la función is_path_absolute. A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. • http://advisories.mageia.org/MGASA-2014-0193.html http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/57880 http://www.cups.org/documentation.php/relnotes.html http://www.cups.org/str.php?L4356 http://www.mandriva.com/security/advisories?name=MDVSA-2015:108 http://www.openwall.com/lists/oss-security/2014/04/14/2 http://www.openwall.com/lists/oss-security/2014/04/15/3 http://www.securityfocus.com/bid/66788 http://www.ubuntu.com/u • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •