Oce Colorwave 500 CSRF / XSS / Authentication Bypass

2020.03.20
Credit: Marco Ortisi
Risk: Medium
Local: No
Remote: Yes

# Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities # Exploit Author: Giuseppe Calì, Marco Ortisi # Authors blog: https://www.redtimmy.com # Vendor Homepage: https://www.canon.com # Software Link: https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM # Version: 4.0.0.0 # CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671 We have recently registered five CVE(s) affecting the Oce Colorwave 500 printer. CVE-2020-10669 is an authentication bypass allowing an attacker to access documents that have been uploaded to the printer. As the documents remain stored in the system even after they have been printed (depending on the printer's configuration), a malicious insider may be able to access documents printed in the past. CVE-2020-10667 is a Stored XSS on the “/TemplateManager/indexExternalLocation.jsp” page. CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp” and “/SettingsEditor/settingDialogContent.jsp”. Finally CVE-10671 is a system-wide CSRF due to the absence of any form of nonce or countermeasure protecting against Cross Site Request Forgery. More details and full story here: https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top