CVSS: 4.3EPSS: 0%CPEs: 111EXPL: 0CVE-2014-2856 – cups: cross-site scripting flaw fixed in the 1.7.2 release
https://notcve.org/view.php?id=CVE-2014-2856
Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function. Vulnerabilidad de XSS en scheduler/client.c en Common Unix Printing System (CUPS) anterior a 1.7.2 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de la ruta de URL, relacionado con la función is_path_absolute. A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. • http://advisories.mageia.org/MGASA-2014-0193.html http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/57880 http://www.cups.org/documentation.php/relnotes.html http://www.cups.org/str.php?L4356 http://www.mandriva.com/security/advisories?name=MDVSA-2015:108 http://www.openwall.com/lists/oss-security/2014/04/14/2 http://www.openwall.com/lists/oss-security/2014/04/15/3 http://www.securityfocus.com/bid/66788 http://www.ubuntu.com/u • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 1.2EPSS: 0%CPEs: 6EXPL: 1CVE-2013-6891
https://notcve.org/view.php?id=CVE-2013-6891
lppasswd in CUPS before 1.7.1, when running with setuid privileges, allows local users to read portions of arbitrary files via a modified HOME environment variable and a symlink attack involving .cups/client.conf. lppasswd en CUPS anteriores a 1.7.1, cuando se ejecuta con privilegios setuid, permite a usuarios locales leer porciones de archivos arbitrarios a través de una variable de entorno HOME modificada y un ataque symlink que involucra .cups/client.conf • http://advisories.mageia.org/MGASA-2014-0021.html http://secunia.com/advisories/56531 http://www.cups.org/blog.php?L704 http://www.cups.org/str.php?L4319 http://www.mandriva.com/security/advisories?name=MDVSA-2014:015 http://www.ubuntu.com/usn/USN-2082-1 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 9.8EPSS: 3%CPEs: 4EXPL: 0CVE-2012-6094
https://notcve.org/view.php?id=CVE-2012-6094
cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system La opción "Listen localhost:631" de cups (Common Unix Printing System) no acepto correctamente, que podría proporcionar acceso no autorizado al sistema. • http://www.openwall.com/lists/oss-security/2013/01/04/5 http://www.securityfocus.com/bid/57158 https://access.redhat.com/security/cve/cve-2012-6094 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6094 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2012-6094 https://exchange.xforce.ibmcloud.com/vulnerabilities/82451 https://security-tracker.debian.org/tracker/CVE-2012-6094 • CWE-863: Incorrect Authorization •
CVSS: 5.1EPSS: 55%CPEs: 93EXPL: 0CVE-2011-3170
https://notcve.org/view.php?id=CVE-2011-3170
The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896. La función gif_read_lzw en filter/image-gif.c en CUPS v1.4.8 y anteriores no controla correctamente la primera WORD de código en un flujo LZW, lo que permite provocar un desbordamiento de búfer basado en memoria dinámica (heap) a atacantes remotos, y posiblemente, ejecutar código de su elección, a través de un stream debidamente modificado. Se trata de una vulnerabilidad diferente a la CVE-2011.2896. • http://cups.org/str.php?L3914 http://secunia.com/advisories/45796 http://secunia.com/advisories/46024 http://security.gentoo.org/glsa/glsa-201207-10.xml http://www.debian.org/security/2011/dsa-2354 http://www.mandriva.com/security/advisories?name=MDVSA-2011:146 http://www.mandriva.com/security/advisories?name=MDVSA-2011:147 http://www.securityfocus.com/bid/49323 http://www.securitytracker.com/id?1025980 http://www.ubuntu.com/usn/USN-1207-1 https://bugzilla.redhat. • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •