{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-06-08T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-22T09:57:01", "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple"}, "references": [{"name": "DSA-3283", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3283"}, {"name": "RHSA-2015:1123", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1123.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208"}, {"name": "USN-2629-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2629-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702"}, {"name": "1032556", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1032556"}, {"name": "SUSE-SU-2015:1044", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.cups.org/blog.php?L1082"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221642"}, {"name": "VU#810572", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/810572"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.cups.org/str.php?L4609"}, {"name": "75106", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75106"}, {"name": "GLSA-201510-07", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201510-07"}, {"tags": ["x_refsource_MISC"], "url": "https://code.google.com/p/google-security-research/issues/detail?id=455"}, {"name": "SUSE-SU-2015:1041", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html"}, {"tags": ["x_refsource_MISC"], "url": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html"}, {"name": "openSUSE-SU-2015:1056", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "product-security@apple.com", "ID": "CVE-2015-1159", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3283", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3283"}, {"name": "RHSA-2015:1123", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1123.html"}, {"name": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208", "refsource": "CONFIRM", "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208"}, {"name": "USN-2629-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2629-1"}, {"name": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702", "refsource": "CONFIRM", "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702"}, {"name": "1032556", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1032556"}, {"name": "SUSE-SU-2015:1044", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"}, {"name": "http://www.cups.org/blog.php?L1082", "refsource": "CONFIRM", "url": "http://www.cups.org/blog.php?L1082"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1221642", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221642"}, {"name": "VU#810572", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/810572"}, {"name": "https://www.cups.org/str.php?L4609", "refsource": "CONFIRM", "url": "https://www.cups.org/str.php?L4609"}, {"name": "75106", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75106"}, {"name": "GLSA-201510-07", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201510-07"}, {"name": "https://code.google.com/p/google-security-research/issues/detail?id=455", "refsource": "MISC", "url": "https://code.google.com/p/google-security-research/issues/detail?id=455"}, {"name": "SUSE-SU-2015:1041", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html"}, {"name": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html", "refsource": "MISC", "url": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html"}, {"name": "openSUSE-SU-2015:1056", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:33:20.630Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3283", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3283"}, {"name": "RHSA-2015:1123", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1123.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208"}, {"name": "USN-2629-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2629-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702"}, {"name": "1032556", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1032556"}, {"name": "SUSE-SU-2015:1044", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.cups.org/blog.php?L1082"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221642"}, {"name": "VU#810572", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/810572"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cups.org/str.php?L4609"}, {"name": "75106", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/75106"}, {"name": "GLSA-201510-07", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201510-07"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://code.google.com/p/google-security-research/issues/detail?id=455"}, {"name": "SUSE-SU-2015:1041", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html"}, {"name": "openSUSE-SU-2015:1056", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html"}]}]}, "cveMetadata": {"assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "assignerShortName": "apple", "cveId": "CVE-2015-1159", "datePublished": "2015-06-26T10:00:00", "dateReserved": "2015-01-16T00:00:00", "dateUpdated": "2024-08-06T04:33:20.630Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cups:cups:*:*:*:*:*:*:*:*", "matchCriteriaId": "E16A5939-A072-4A0C-AD13-9A580B0DF4D3", "versionEndIncluding": "2.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/."}, {"lang": "es", "value": "Vulnerabilidad de XSS en la funci\u00f3n cgi_puts en cgi-bin/template.c en el motor de plantillas en CUPS anterior a 2.0.3 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s del par\u00e1metro QUERY en help/."}], "id": "CVE-2015-1159", "lastModified": "2017-09-23T01:29:00.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-06-26T10:59:02.077", "references": [{"source": "product-security@apple.com", "tags": ["Technical Description"], "url": "http://googleprojectzero.blogspot.in/2015/06/owning-internet-printing-case-study-in.html"}, {"source": "product-security@apple.com", "tags": ["Third Party Advisory"], "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10702"}, {"source": "product-security@apple.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html"}, {"source": "product-security@apple.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html"}, {"source": "product-security@apple.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html"}, {"source": "product-security@apple.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-1123.html"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "http://www.cups.org/blog.php?L1082"}, {"source": "product-security@apple.com", "url": "http://www.debian.org/security/2015/dsa-3283"}, {"source": "product-security@apple.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/810572"}, {"source": "product-security@apple.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/75106"}, {"source": "product-security@apple.com", "url": "http://www.securitytracker.com/id/1032556"}, {"source": "product-security@apple.com", "url": "http://www.ubuntu.com/usn/USN-2629-1"}, {"source": "product-security@apple.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=924208"}, {"source": "product-security@apple.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221642"}, {"source": "product-security@apple.com", "tags": ["Exploit"], "url": "https://code.google.com/p/google-security-research/issues/detail?id=455"}, {"source": "product-security@apple.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://security.gentoo.org/glsa/201510-07"}, {"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://www.cups.org/str.php?L4609"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank CERT/CC for reporting this issue.", "affected_release": [{"advisory": "RHSA-2015:1123", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "cups-1:1.4.2-67.el6_6.1", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2015-06-17T00:00:00Z"}, {"advisory": "RHSA-2015:1123", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "cups-1:1.6.3-17.el7_1.1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-06-17T00:00:00Z"}], "bugzilla": {"description": "cups: cross-site scripting flaw in CUPS web UI (VU#810572)", "id": "1221642", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221642"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.", "A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface."], "name": "CVE-2015-1159", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "cups", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2015-06-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-1159\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-1159"], "statement": "This issue affects the version of cups package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.", "threat_severity": "Moderate"}