cbcvebase.
CVE-2015-1159
published 2015-06-26

CVE-2015-1159: Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to…

PriorityP427medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
7.30%
93.6th percentile
Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.

Affected

8 ranges
VendorProductVersion rangeFixed in
applecups>= 0 < 1.7.5-121.7.5-12
applecups>= 0 < 1.7.5-121.7.5-12
applecups>= 0 < 1.7.5-121.7.5-12
applecups>= 0 < 1.7.5-121.7.5-12
applecups>= 0 < 1.7.2-0ubuntu1.61.7.2-0ubuntu1.6
appleos_x_yosemite_v10.10.3_and_security_update_2015-004
cupscups<= 2.0.2
debiancups< cups 1.7.5-12 (bookworm)cups 1.7.5-12 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search
port631
path/help/
pathcgi-bin/template.c
  • Detect HTTP GET requests to the CUPS web interface at /help/ containing a QUERY parameter that begins with URL-encoded '<a href="' (i.e., %3Ca%20href%3D%22 or similar) — this is the specific XSS injection vector for CVE-2015-1159.
  • Monitor HTTP requests to CUPS port 631 /help/ endpoint with QUERY parameter values containing URL-encoded script tags or HTML injection payloads (e.g., %3Cscript%3E).
  • The XSS payload uses an open HTML comment string '<!--' to avoid parse errors; look for QUERY parameters containing %3C!-- or <!-- in requests to /help/.
  • The exploit also leverages IPP_CREATE_JOB or IPP_PRINT_JOB requests with a multi-value 'job-originating-host-name' attribute to trigger a use-after-free (CVE-2015-1158) as a precursor; monitor for IPP requests with abnormally high numbers of 'job-originating-host-name' values.
  • The vulnerable code path is in cgi_puts() within cgi-bin/template.c; the flaw is that values starting with '<a href="' bypass HTML escaping of double-quotes, allowing attribute injection.
  • ·The XSS is reachable in the default CUPS configuration for Linux, where the scheduler is bound to localhost/loopback — an attacker can exploit this to bypass that binding restriction.
  • ·CUPS 2.0.3+ mitigates future similar bugs by blocking LD_* and DYLD_* environment variables when running as root, and removing the localhost listener when 'WebInterface' is disabled (2.1 beta).

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv10.0CRITICAL
vendor_ubuntu10.0CRITICAL
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.