SB2015061521 - Cross-site scripting in cups (Alpine package)
Published: June 15, 2015
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2015-1159)
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 when processing QUERY parameter to help/. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=2bd688203ac9a6bade959c7857aa827a882a5a26
- https://git.alpinelinux.org/aports/commit/?id=ff5aca650b718685ddf975d4f7f26993fc79f235
- https://git.alpinelinux.org/aports/commit/?id=5f589ae6722e270d6297726d8ef6ab405dc22d93
- https://git.alpinelinux.org/aports/commit/?id=40283b5ee346c43fe039dffe33f22e009c0094a1