CUPS < 1.4.2 kerberos Parameter XSS

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote printer service is affected by a cross-site scripting
vulnerability.

Description :

According to its banner, the version of CUPS installed on the remote
host is earlier than 1.4.2. The 'kerberos' parameter in such versions
is not properly sanitized before being used to generate dynamic HTML
content.

An attacker can leverage this issue via a combination of attribute
injection and HTTP Parameter Pollution to inject arbitrary script code
into a user's browser to be executed within the security context of
the affected site.

See also :

http://www.cups.org/str.php?L3367
http://www.cups.org/articles.php?L590

Solution :

Upgrade to CUPS version 1.4.2 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 42468 (cups_1_4_2.nasl)

Bugtraq ID: 36958

CVE ID: CVE-2009-2820