Vulnerability CVE-2013-6033


Published: 2014-02-04

Description:
Multiple cross-site scripting (XSS) vulnerabilities on Lexmark W840 through LS.HA.P252, T64x before LS.ST.P344, C935dn through LC.JO.P091, C920 through LS.TA.P152, C53x through LS.SW.P069, C52x through LS.FA.P150, E450 through LM.SZ.P124, E350 through LE.PH.P129, and E250 through LE.PM.P126 printers allow remote authenticated users to inject arbitrary web script or HTML by using (1) SNMP or (2) the Embedded Web Server (EWS) to set the (a) Contact or (b) Location field.

See advisories in our WLB2 database:
Topic
Author
Date
High
Lexmark laser printers contain multiple vulnerabilities
USCERT
05.02.2014

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Lexmark
Product: C920 
Version: ls.ta.p152;
Product: C53X 
Version: ls.sw.p069;
Product: T64X 
Version: ls.st.p343;
Product: W840 
Version: ls.ha.p252;
Product: C52X 
Version: ls.fa.p150;
Product: E450 
Version: lm.sz.p124;
Product: E250 
Version: le.pm.p126;
Product: E350 
Version: le.ph.p129;
Product: C935dn 
Version: lc.jo.p091;

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.kb.cert.org/vuls/id/108062
http://www.securityfocus.com/bid/65277
http://www.osvdb.org/102752
http://support.lexmark.com/index?page=content&id=TE585

Related CVE
CVE-2018-15520
Various Lexmark devices have a Buffer Overflow (issue 2 of 2).
CVE-2018-15519
Various Lexmark devices have a Buffer Overflow (issue 1 of 2).
CVE-2018-17944
On certain Lexmark devices that communicate with an LDAP or SMTP server, a malicious administrator can discover LDAP or SMTP credentials by changing that server's hostname to one that they control, and then capturing the credentials that are sent the...
CVE-2019-6489
Certain Lexmark CX, MX, X, XC, XM, XS, and 6500e devices before 2019-02-11 allow remote attackers to erase stored shortcuts.
CVE-2017-13771
Lexmark Scan To Network (SNF) 3.2.9 and earlier stores network configuration credentials in plaintext and transmits them in requests, which allows remote attackers to obtain sensitive information via requests to (1) cgi-bin/direct/printer/prtappauth/...
CVE-2017-2821
An exploitable use-after-free exists in the PDF parsing functionality of Lexmark Perspective Document Filters 11.3.0.2400 and 11.4.0.2452. A crafted PDF document can lead to a use-after-free resulting in direct code execution.
CVE-2017-2822
An exploitable code execution vulnerability exists in the image rendering functionality of Lexmark Perceptive Document Filters 11.3.0.2400. A specifically crafted PDF can cause a function call on a corrupted DCTStream to occur, resulting in user cont...
CVE-2017-2806
An exploitable arbitrary read exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a arbitrary read resulting in memory disclosure. The vulnerability was confirmed on versi...

Copyright 2019, cxsecurity.com

 

Back to Top