The CUPS 1.7.2 release fixes a possible cross-site scripting issue in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. Patch for is_absolute_path(): http://www.cups.org/strfiles.php/3268/str4356.patch I was unable to reproduce this issue in Fedora 19 and 20. References: http://www.cups.org/blog.php?L717 http://www.cups.org/str.php?L4356
Created cups tracking bugs for this issue: Affects: fedora-all [bug 1087123]
CVE request: http://www.openwall.com/lists/oss-security/2014/04/14/2
MITRE assigned CVE-2014-2856 to this issue: http://seclists.org/oss-sec/2014/q2/115
cups-1.6.4-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.7.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue is not planned to be fixed in Red Hat Enterprise Linux 5 as it is now in Production 3 Phase of the support and maintenance life cycle, https://access.redhat.com/support/policy/updates/errata/
IssueDescription: A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1388 https://rhn.redhat.com/errata/RHSA-2014-1388.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHBA-2015:0386 https://rhn.redhat.com/errata/RHBA-2015-0386.html