CVE-2009-2820

N/A Unknown

Published: November 10, 2009 Modified: April 23, 2026

Description

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/37308

Source: cve@mitre.org

http://secunia.com/advisories/37360

Source: cve@mitre.org

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021115.1-1

Source: cve@mitre.org

http://support.apple.com/kb/HT3937

Source: cve@mitre.org

Patch Vendor Advisory

http://www.cups.org/articles.php?L590

Source: cve@mitre.org

http://www.cups.org/documentation.php/relnotes.html

Source: cve@mitre.org

http://www.cups.org/str.php?L3367

Source: cve@mitre.org

http://www.mandriva.com/security/advisories?name=MDVSA-2010:072

Source: cve@mitre.org

http://www.mandriva.com/security/advisories?name=MDVSA-2010:073

Source: cve@mitre.org

http://www.redhat.com/support/errata/RHSA-2009-1595.html

Source: cve@mitre.org

http://www.securityfocus.com/bid/36956

Source: cve@mitre.org

Patch

http://www.vupen.com/english/advisories/2009/3184

Source: cve@mitre.org

https://bugzilla.redhat.com/show_bug.cgi?id=529833

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9153

Source: cve@mitre.org

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/37308

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/37360

Source: af854a3a-2127-422b-91ae-364da2661108

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021115.1-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://support.apple.com/kb/HT3937

Source: af854a3a-2127-422b-91ae-364da2661108

Patch Vendor Advisory

http://www.cups.org/articles.php?L590

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.cups.org/documentation.php/relnotes.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.cups.org/str.php?L3367

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mandriva.com/security/advisories?name=MDVSA-2010:072

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mandriva.com/security/advisories?name=MDVSA-2010:073

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.redhat.com/support/errata/RHSA-2009-1595.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/36956

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.vupen.com/english/advisories/2009/3184

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=529833

Source: af854a3a-2127-422b-91ae-364da2661108

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9153

Source: af854a3a-2127-422b-91ae-364da2661108

30 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

2.0%

84th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

apple

Related CVEs

CVE-2026-7073 7.3

CVE-2026-7072 7.3

CVE-2026-7071 5.3

CVE-2026-7070 7.3

CVE-2026-7069 8.0