CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
85.6%
The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest
username when a user is not logged on to the web server, which makes it
easier for remote attackers to bypass intended policy and conduct CSRF
attacks via the (1) add and (2) cancel RSS subscription functions.
Author | Note |
---|---|
mdeslaur | Only 1.3.x has rss subscriptions, so dapper is not vulnerable |