Vulnerability CVE-2018-5921


Published: 2018-10-03

Description:
A potential security vulnerability has been identified with certain HP printers and MFPs in 2405129_000052 and other firmware versions. This vulnerability is known as Cross Site Request Forgery, and could potentially be exploited remotely to allow elevation of privilege.

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: HP
Product: J7x28a firmware 
Version: _2308214_000912;
Product: E6b71a firmware 
Version: _2308214_000908;
Product: Cc522a firmware 
Version: 2308214_000932;
Product: Cc523a firmware 
Version: 2308214_000932;
Product: Cc524a firmware 
Version: 2308214_000932;
Product: A2w77a firmware 
Version: 2308214_000930;
Product: A2w78a firmware 
Version: 2308214_000930;
Product: A2w79a firmware 
Version: 2308214_000930;
Product: D7p70a firmware 
Version: 2308214_000928;
Product: A2w75a firmware 
Version: 2308214_000928;
Product: D7p71a firmware 
Version: 2308214_000928;
Product: A2w76a firmware 
Version: 2308214_000928;
Product: Cd644a firmware 
Version: 2308214_000925;
Product: Cd645a firmware 
Version: 2308214_000925;
Product: Cd646a firmware 
Version: 2308214_000925;
Product: G1w41a firmware 
Version: 2308214_000923;
Product: L3u42a firmware 
Version: 2308214_000923;
Product: L3u43a firmware 
Version: 2308214_000923;
Product: G1w39a firmware 
Version: 2308214_000923;
Product: G1w40a firmware 
Version: 2308214_000923;
Product: Cf069a firmware 
Version: 2308214_000921;
Product: Cf066a firmware 
Version: 2308214_000921;
Product: Cf067a firmware 
Version: 2308214_000921;
Product: Cf068a firmware 
Version: 2308214_000921;
Product: Cz244a firmware 
Version: 2308214_000920;
Product: Cz245a firmware 
Version: 2308214_000920;
Product: Cf367a firmware 
Version: 2308214_000916;
Product: Cf116a firmware 
Version: 2308214_000913;
Product: Cf117a firmware 
Version: 2308214_000913;
Product: Cf118a firmware 
Version: 2308214_000913;
Product: B3g85a firmware 
Version: 2308214_000912;
Product: G1w46a firmware 
Version: 2308214_000910;
Product: G1w46v firmware 
Version: 2308214_000910;
Product: L3u44a firmware 
Version: 2308214_000910;
Product: G1w47a firmware 
Version: 2308214_000910;
Product: G1w47v firmware 
Version: 2308214_000910;
Product: B5l46a firmware 
Version: 2308214_000909;
Product: B5l47a firmware 
Version: 2308214_000909;
Product: B5l48a firmware 
Version: 2308214_000909;
Product: E6b73a firmware 
Version: 2308214_000908;
Product: B5l26a firmware 
Version: 2308214_000907;
Product: C2s11a firmware 
Version: 2308214_000906;
Product: C2s12a firmware 
Version: 2308214_000906;
Product: F2a76a firmware 
Version: 2308214_000905;
Product: F2a77a firmware 
Version: 2308214_000905;
Product: F2a81a firmware 
Version: 2308214_000905;
Product: B5l07a firmware 
Version: 2308214_000902;
Product: B5l04a firmware 
Version: 2308214_000902;
Product: B5l05a firmware 
Version: 2308214_000902;

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://support.hp.com/us-en/document/c05949322

Related CVE
CVE-2018-7120
A security vulnerability in the HPE Virtual Connect SE 16Gb Fibre Channel Module for HPE Synergy running firmware 5.00.50, which is part of the HPE Synergy Custom SPP 2018.11.20190205, could allow local or remote unauthorized elevation of privilege.
CVE-2018-7119
A Local Disclosure of Sensitive Information vulnerability was identified in HPE NonStop Safeguard earlier than version SPR T9750L01^AIC or T9750H05^AIH, and later versions when the PASSWORD-PROMPT configuration attribute is not set to BLIND; all vers...
CVE-2018-5927
HP Support Assistant before 8.7.50.3 allows an unauthorized person with local access to load arbitrary code.
CVE-2018-5926
A potential vulnerability has been identified in HP Remote Graphics Software?s certificate authentication process version 7.5.0 and earlier.
CVE-2018-5923
In HP LaserJet Enterprise, HP PageWide Enterprise, HP LaserJet Managed, and HP OfficeJet Enterprise Printers, solution application signature checking may allow potential execution of arbitrary code.
CVE-2017-2752
A potential security vulnerability caused by incomplete obfuscation of application configuration information was discovered in Tommy Hilfiger TH24/7 Android app versions 2.0.0.11, 2.0.1.14, 2.1.0.16, and 2.2.0.19. HP has no access to customer data as...
CVE-2017-2748
A potential security vulnerability caused by the use of insecure (http) transactions during login has been identified with early versions of the Isaac Mizrahi Smartwatch mobile app. HP has no access to customer data as a result of this issue.
CVE-2019-3484
Mitigates a remote code execution issue in ArcSight Logger versions prior to 6.7.

Copyright 2019, cxsecurity.com

 

Back to Top