Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-2820Cross-site Scripting in Apple MAC OS X

CWE-79Cross-site Scripting9 documents9 sources
Severity
4.3MEDIUMNVD
EPSS
2.0%
top 16.34%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Apple CupsApple MAC OS XApple MAC OS X Server
Timeline
PublishedNov 10
Latest updateMay 2

Description

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

Debianapple/cups< 1.4.2-1+3
NVDapple/mac_os_x10.6.1+58
NVDapple/mac_os_x_server10.6.1+58

Patches

Patch: support.apple.comPatch: www.securityfocus.comPatch: support.apple.com

🔴Vulnerability Details

3
GHSA
GHSA-hmf5-7mhf-fpjh: The web interface in CUPS before 12022-05-02
OSV
CVE-2009-2820: The web interface in CUPS before 12009-11-10
CVEList
CVE-2009-2820: The web interface in CUPS before 12009-11-10

💥Exploits & PoCs

1
Exploit-DB
CUPS - 'kerberos' Cross-Site Scripting2009-11-11

📋Vendor Advisories

3
Ubuntu
CUPS vulnerability2009-11-10
Red Hat
cups: Several XSS flaws in forms processed by CUPS web interface2009-11-09
Debian
CVE-2009-2820: cups - The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 ...2009

💬Community

1
Bugzilla
CVE-2009-2820 cups: Several XSS flaws in forms processed by CUPS web interface2009-10-20
CVE-2009-2820 — Cross-site Scripting in Apple MAC OS X | cvebase