VAR-202003-0129
Vulnerability from variot - Updated: 2023-12-18 12:17The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in the parameter settingId of the settingDialogContent.jsp page. NOTE: this is fixed in the latest version. Canon Oce Colorwave 500 A cross-site scripting vulnerability exists in the printer.Information may be obtained and tampered with. Canon Oce Colorwave 500 is a printer from Canon, Japan. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code. # Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities
Exploit Author: Giuseppe Calì, Marco Ortisi
Authors blog: https://www.redtimmy.com
Vendor Homepage: https://www.canon.com
Software Link:
https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM
Version: 4.0.0.0
CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671
We have recently registered five CVE(s) affecting the Oce Colorwave 500 printer.
CVE-2020-10669 is an authentication bypass allowing an attacker to access documents that have been uploaded to the printer. As the documents remain stored in the system even after they have been printed (depending on the printer's configuration), a malicious insider may be able to access documents printed in the past.
CVE-2020-10667 is a Stored XSS on the “/TemplateManager/indexExternalLocation.jsp” page.
CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp” and “/SettingsEditor/settingDialogContent.jsp”.
Finally CVE-10671 is a system-wide CSRF due to the absence of any form of nonce or countermeasure protecting against Cross Site Request Forgery.
More details and full story here: https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-0129",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "oce colorwave 500",
"scope": "lte",
"trust": 1.0,
"vendor": "canon",
"version": "4.0.0.0"
},
{
"model": "oce colorwave 500",
"scope": "eq",
"trust": 0.8,
"vendor": "canon",
"version": "4.0.0.0"
},
{
"model": "oce colorwave",
"scope": "eq",
"trust": 0.6,
"vendor": "canon",
"version": "5004.0.0.0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"db": "NVD",
"id": "CVE-2020-10670"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canon:oce_colorwave_500_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.0.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:canon:oce_colorwave_500:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10670"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Giuseppe Cali,Marco Ortisi, redtimmysec",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
],
"trust": 0.6
},
"cve": "CVE-2020-10670",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-003091",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2020-18988",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2020-003091",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-10670",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-003091",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2020-18988",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-1227",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"db": "NVD",
"id": "CVE-2020-10670"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in the parameter settingId of the settingDialogContent.jsp page. NOTE: this is fixed in the latest version. Canon Oce Colorwave 500 A cross-site scripting vulnerability exists in the printer.Information may be obtained and tampered with. Canon Oce Colorwave 500 is a printer from Canon, Japan. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code. # Exploit Title: Oc\u00e9 Colorwave 500 printer: Multiple vulnerabilities\n# Exploit Author: Giuseppe Cal\u00ec, Marco Ortisi\n# Authors blog: https://www.redtimmy.com\n# Vendor Homepage: https://www.canon.com\n# Software Link: \nhttps://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378\u0026SKU%3C%3Esku_id=1689949372031068\u0026FOLDER%3C%3Efolder_id=2534374302162637\u0026bmUID=mpYkKHM\n# Version: 4.0.0.0\n# CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671\n\nWe have recently registered five CVE(s) affecting the Oce Colorwave 500 \nprinter. \n\nCVE-2020-10669 is an authentication bypass allowing an attacker to \naccess\ndocuments that have been uploaded to the printer. As the documents \nremain stored\nin the system even after they have been printed (depending on the \nprinter\u0027s\nconfiguration), a malicious insider may be able to access documents \nprinted in\nthe past. \n\nCVE-2020-10667 is a Stored XSS on the \n\u201c/TemplateManager/indexExternalLocation.jsp\u201d\npage. \n\nCVE-2020-10668 and CVE-10670 are two Reflected XSS on pages \u201c/home.jsp\u201d \nand\n\u201c/SettingsEditor/settingDialogContent.jsp\u201d. \n\nFinally CVE-10671 is a system-wide CSRF due to the absence of any form \nof nonce\nor countermeasure protecting against Cross Site Request Forgery. \n\nMore details and full story here: \nhttps://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10670"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"db": "PACKETSTORM",
"id": "156833"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-10670",
"trust": 3.1
},
{
"db": "PACKETSTORM",
"id": "156833",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003091",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-18988",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1227",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"db": "PACKETSTORM",
"id": "156833"
},
{
"db": "NVD",
"id": "CVE-2020-10670"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
]
},
"id": "VAR-202003-0129",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-18988"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-18988"
}
]
},
"last_update_date": "2023-12-18T12:17:18.609000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Oce ColorWave 500",
"trust": 0.8,
"url": "http://www.canon-pps.co.jp/products/old-products/colorwave500/index.html"
},
{
"title": "Patch for Canon Oce Colorwave 500 cross-site scripting vulnerability (CNVD-2020-18988)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/210487"
},
{
"title": "Canon Oce Colorwave 500 Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=112709"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"db": "NVD",
"id": "CVE-2020-10670"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/156833/oce-colorwave-500-csrf-xss-authentication-bypass.html"
},
{
"trust": 1.7,
"url": "https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10670"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10670"
},
{
"trust": 0.6,
"url": "https://global.canon/"
},
{
"trust": 0.6,
"url": "https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/https"
},
{
"trust": 0.1,
"url": "https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?product%3c%3eprd_id=845524441910378\u0026sku%3c%3esku_id=1689949372031068\u0026folder%3c%3efolder_id=2534374302162637\u0026bmuid=mpykkhm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10669"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10671"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10668"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10667"
},
{
"trust": 0.1,
"url": "https://www.redtimmy.com"
},
{
"trust": 0.1,
"url": "https://www.canon.com"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"db": "PACKETSTORM",
"id": "156833"
},
{
"db": "NVD",
"id": "CVE-2020-10670"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"db": "PACKETSTORM",
"id": "156833"
},
{
"db": "NVD",
"id": "CVE-2020-10670"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"date": "2020-04-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"date": "2020-03-19T22:03:23",
"db": "PACKETSTORM",
"id": "156833"
},
{
"date": "2020-03-19T19:15:11.927000",
"db": "NVD",
"id": "CVE-2020-10670"
},
{
"date": "2020-03-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-18988"
},
{
"date": "2020-04-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003091"
},
{
"date": "2020-03-23T17:03:14.620000",
"db": "NVD",
"id": "CVE-2020-10670"
},
{
"date": "2020-03-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Canon Oce Colorwave 500 Cross-site scripting vulnerabilities in printers",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003091"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-1227"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…