CVE-2014-2856

Publication date 18 April 2014

Last updated 24 July 2024

Ubuntu priority

Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cups	14.04 LTS trusty	Fixed 1.7.2-0ubuntu1
	13.10 saucy	Fixed 1.7.0~rc1-0ubuntu5.3
	12.10 quantal	Fixed 1.6.1-0ubuntu11.6
	12.04 LTS precise	Fixed 1.5.3-0ubuntu8.2
	10.04 LTS lucid	Fixed 1.4.3-1ubuntu1.11

Notes

mdeslaur

successfully reproduced on lucid+ patch in bug is what's in 1.7.2

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
cups	Upstream: http://www.cups.org/strfiles.php/3268/str4356.patch

References

Related Ubuntu Security Notices (USN)