# Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities
# Exploit Author: Giuseppe Calì, Marco Ortisi
# Authors blog: https://www.redtimmy.com
# Vendor Homepage: https://www.canon.com
# Software Link:
https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM
# Version: 4.0.0.0
# CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671
We have recently registered five CVE(s) affecting the Oce Colorwave 500
printer.
CVE-2020-10669 is an authentication bypass allowing an attacker to
access
documents that have been uploaded to the printer. As the documents
remain stored
in the system even after they have been printed (depending on the
printer's
configuration), a malicious insider may be able to access documents
printed in
the past.
CVE-2020-10667 is a Stored XSS on the
“/TemplateManager/indexExternalLocation.jsp”
page.
CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp”
and
“/SettingsEditor/settingDialogContent.jsp”.
Finally CVE-10671 is a system-wide CSRF due to the absence of any form
of nonce
or countermeasure protecting against Cross Site Request Forgery.
More details and full story here:
https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/