The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before
10.6.2 and other platforms, does not properly handle (1) HTTP headers and
(2) HTML templates, which allows remote attackers to conduct cross-site
scripting (XSS) attacks and HTTP response splitting attacks via vectors
related to (a) the product's web interface, (b) the configuration of the
print system, and (c) the titles of printed jobs, as demonstrated by an XSS
attack that uses the kerberos parameter to the admin program, and leverages
attribute injection and HTTP Parameter Pollution (HPP) issues.
Source: cups (LP Ubuntu Debian)
Upstream:released (1.4.2)
Upstream:released (1.4.2)
More Information

Updated: 2019-03-19 11:50:32 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)