CVE-2008-5184 — Apple Cups vulnerability

CWE-25510 documents8 sources

Severity

10.0CRITICALNVD

EPSS

0.3%

top 48.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Cups

Timeline

PublishedNov 21

Latest updateMay 17

Description

The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

▶Debianapple/cups< 1.3.8-1+3

▶NVDapple/cups1.3.7+53

🔴Vulnerability Details

GHSA

GHSA-xmmc-fgrf-gp3v: The web interface (cgi-bin/admin↗2022-05-17

▶

CVEList

CVE-2008-5184: The web interface (cgi-bin/admin↗2008-11-21

▶

OSV

CVE-2008-5184: The web interface (cgi-bin/admin↗2008-11-21

▶

📋Vendor Advisories

Ubuntu

CUPS vulnerabilities↗2009-01-12

▶

Red Hat

cups: DoS (daemon crash) caused by the large number of subscriptions↗2008-11-15

▶

Red Hat

cups: improper use of the 'guest' username in the web UI, when user not logged on to the server↗2008-03-27

▶

Debian

CVE-2008-5184: cups - The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username...↗2008

▶

💬Community

Bugzilla

CVE-2008-5184 cups: improper use of the 'guest' username in the web UI, when user not logged on to the server↗2008-12-01

▶

Bugzilla

CVE-2008-5183 cups: DoS (daemon crash) caused by the large number of subscriptions↗2008-12-01

▶