CVE-2014-2856

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function.

References

http://advisories.mageia.org/MGASA-2014-0193.html

http://rhn.redhat.com/errata/RHSA-2014-1388.html

http://secunia.com/advisories/57880

http://www.cups.org/documentation.php/relnotes.html

http://www.cups.org/str.php?L4356

http://www.mandriva.com/security/advisories?name=MDVSA-2015:108

http://www.openwall.com/lists/oss-security/2014/04/14/2

http://www.openwall.com/lists/oss-security/2014/04/15/3

http://www.securityfocus.com/bid/66788

http://www.ubuntu.com/usn/USN-2172-1

Details

Source: MITRE

Published: 2014-04-18

Updated: 2017-12-16

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apple:cups:1.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.5:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.5-1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.5-2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.6:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.6-1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.6-2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.6-3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.7:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.8:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.9:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.9-1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.10:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.10-1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.11:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.12:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.13:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.14:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.15:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.16:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.17:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.18:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc3:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc4:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc5:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc3:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc4:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc5:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc6:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.21:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.21:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.21:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.22:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.22:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.22:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.23:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.23:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:b1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:b2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:rc3:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.0:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.5:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.6:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.7:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.8:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.9:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.10:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.11:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.12:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3:b1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.5:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.6:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.7:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.8:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.9:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.10:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.11:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4:b1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4:b2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4:b3:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.5:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.6:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.7:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.4.8:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.5:b1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.5:b2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.5:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.5.0:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.5.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.5.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.5.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.5.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.6:b1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.6:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.6.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.6.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.6.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.6.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.7:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:*:*:*:*:*:*:*:* versions up to 1.7.1 (inclusive)

cpe:2.3:a:apple:cups:1.7.1:b1:*:*:*:*:*:*

Tenable Plugins

View all (15 total)

IDNameProductFamilySeverity
124935EulerOS Virtualization 3.0.1.0 : cups (EulerOS-SA-2019-1432)NessusHuawei Local Security Checks
high
82361Mandriva Linux Security Advisory : cups (MDVSA-2015:108)NessusMandriva Local Security Checks
medium
80597Oracle Solaris Third-Party Patch Update : cups (cve_2014_2856_cross_site)NessusSolaris Local Security Checks
medium
79550OracleVM 3.3 : cups (OVMSA-2014-0035)NessusOracleVM Local Security Checks
high
79177CentOS 6 : cups (CESA-2014:1388)NessusCentOS Local Security Checks
medium
78842Scientific Linux Security Update : cups on SL6.x i386/x86_64 (20141014)NessusScientific Linux Local Security Checks
medium
78781Amazon Linux AMI : cups (ALAS-2014-438)NessusAmazon Linux Local Security Checks
medium
78522Oracle Linux 6 : cups (ELSA-2014-1388)NessusOracle Linux Local Security Checks
medium
78405RHEL 6 : cups (RHSA-2014:1388)NessusRed Hat Local Security Checks
medium
74070Mandriva Linux Security Advisory : cups (MDVSA-2014:091)NessusMandriva Local Security Checks
medium
73774Fedora 20 : cups-1.7.2-1.fc20 (2014-5079)NessusFedora Local Security Checks
medium
73746Fedora 19 : cups-1.6.4-5.fc19 (2014-4384)NessusFedora Local Security Checks
medium
73734CUPS < 1.7.2 is_path_absolute Function XSSNessusMisc.
medium
73709Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : cups vulnerability (USN-2172-1)NessusUbuntu Local Security Checks
medium
8210CUPS < 1.7.2 Reflected Cross-Site Scripting VulnerabilityNessus Network MonitorWeb Servers
medium