CVE-2010-1748

Name of the Vulnerable Software and Affected Versions CUPS versions prior to 1.4.4

Description The issue arises from the improper handling of parameter values containing a % (percent) character without two subsequent hex characters by the cgi initialize string function in the web interface. This allows attackers to obtain sensitive information from cupsd process memory via crafted requests, such as the "/admin?OP=redirect&URL=%" and "/admin?URL=/admin/&OP=%" API endpoints.

Recommendations For versions prior to 1.4.4, update to version 1.4.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the /admin API endpoint to minimize the risk of exploitation. Avoid using the URL and OP parameters in the affected API endpoints until the issue is resolved.