A cross-site scripting flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the "lp" group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system