Details of VAR-200806-0345

ID

VAR-200806-0345

CVE

CVE-2008-2743

TITLE

Xerox 4110 Such as Copier/Printers Embedding Web Server cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2008-005894

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the embedded web server in Xerox 4110, 4590, and 4595 Copier/Printers allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. The webserver in multiple Xerox copier/printer models is prone to an unspecified HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. The following Xerox copier/printer models are affected: Xerox 4110 Xerox 4590 Xerox 4595. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Xerox Copier/Printer Products Web Server Unspecified Script Insertion SECUNIA ADVISORY ID: SA30639 VERIFY ADVISORY: http://secunia.com/advisories/30639/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From local network OPERATING SYSTEM: Xerox 4110 Copier/Printer http://secunia.com/product/19057/ Xerox 4590 Copier/Printer http://secunia.com/product/19056/ Xerox 4595 Copier/Printer http://secunia.com/product/19058/ DESCRIPTION: A vulnerability has been reported in some Xerox Copier/Printer products, which can be exploited by malicious people to conduct script insertion attacks. Certain unspecified input in the Web Server is not properly sanitised before being used. The vulnerability affects the following products: * Xerox 4110 Copier/Printer * Xerox 4590 Copier/Printer * Xerox 4595 Copier/Printer SOLUTION: Apply updates (see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Louhi Networks. ORIGINAL ADVISORY: XRX08-007: http://www.xerox.com/downloads/usa/en/c/cert_XRX08_007.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: NVD: CVE-2008-2743 // JVNDB: JVNDB-2008-005894 // BID: 29690 // PACKETSTORM: 67284

AFFECTED PRODUCTS

vendor:	xerox	model:	4110	scope:	-	version:	-	Trust: 1.4
vendor:	xerox	model:	4590	scope:	-	version:	-	Trust: 1.4
vendor:	xerox	model:	4595	scope:	-	version:	-	Trust: 1.4
vendor:	xerox	model:	4595	scope:	eq	version:	*	Trust: 1.0
vendor:	xerox	model:	4110	scope:	eq	version:	*	Trust: 1.0
vendor:	xerox	model:	4590	scope:	eq	version:	*	Trust: 1.0
vendor:	xerox	model:	copier/printer	scope:	eq	version:	45950	Trust: 0.3
vendor:	xerox	model:	copier/printer	scope:	eq	version:	45900	Trust: 0.3
vendor:	xerox	model:	copier/printer	scope:	eq	version:	41100	Trust: 0.3

sources: BID: 29690 // JVNDB: JVNDB-2008-005894 // CNNVD: CNNVD-200806-239 // NVD: CVE-2008-2743

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2008-2743
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2008-2743
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200806-239
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2008-2743
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2008-005894 // CNNVD: CNNVD-200806-239 // NVD: CVE-2008-2743

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2008-005894 // NVD: CVE-2008-2743

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200806-239

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-200806-239

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-005894

PATCH

title:

Xerox Security Bulletin XRX08-007

url:

http://www.xerox.com/downloads/usa/en/c/cert_XRX08_007.pdf

Trust: 0.8

sources: JVNDB: JVNDB-2008-005894

EXTERNAL IDS

db:	NVD	id:	CVE-2008-2743	Trust: 2.7
db:	BID	id:	29690	Trust: 1.9
db:	SECUNIA	id:	30639	Trust: 1.7
db:	SECTRACK	id:	1020282	Trust: 1.6
db:	VUPEN	id:	ADV-2008-1829	Trust: 1.6
db:	JVNDB	id:	JVNDB-2008-005894	Trust: 0.8
db:	XF	id:	43058	Trust: 0.6
db:	CNNVD	id:	CNNVD-200806-239	Trust: 0.6
db:	PACKETSTORM	id:	67284	Trust: 0.1

sources: BID: 29690 // JVNDB: JVNDB-2008-005894 // PACKETSTORM: 67284 // CNNVD: CNNVD-200806-239 // NVD: CVE-2008-2743

REFERENCES

url:	http://www.xerox.com/downloads/usa/en/c/cert_xrx08_007.pdf	Trust: 2.0
url:	http://www.securitytracker.com/id?1020282	Trust: 1.6
url:	http://www.securityfocus.com/bid/29690	Trust: 1.6
url:	http://secunia.com/advisories/30639	Trust: 1.6
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/43058	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2008/1829/references	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2743	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-2743	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/43058	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2008/1829/references	Trust: 0.6
url:	http://www.xerox.com	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/19058/	Trust: 0.1
url:	http://secunia.com/product/19056/	Trust: 0.1
url:	http://secunia.com/advisories/30639/	Trust: 0.1
url:	http://secunia.com/product/19057/	Trust: 0.1
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/secunia_security_specialist/	Trust: 0.1
url:	http://corporate.secunia.com/about_secunia/64/	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: BID: 29690 // JVNDB: JVNDB-2008-005894 // PACKETSTORM: 67284 // CNNVD: CNNVD-200806-239 // NVD: CVE-2008-2743

CREDITS

Finland's Louhi Networks

Trust: 0.9

sources: BID: 29690 // CNNVD: CNNVD-200806-239

SOURCES

db:	BID	id:	29690
db:	JVNDB	id:	JVNDB-2008-005894
db:	PACKETSTORM	id:	67284
db:	CNNVD	id:	CNNVD-200806-239
db:	NVD	id:	CVE-2008-2743

LAST UPDATE DATE

2025-04-10T23:15:43.090000+00:00

SOURCES UPDATE DATE

db:	BID	id:	29690	date:	2015-05-07T17:28:00
db:	JVNDB	id:	JVNDB-2008-005894	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-200806-239	date:	2009-04-14T00:00:00
db:	NVD	id:	CVE-2008-2743	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	BID	id:	29690	date:	2008-06-12T00:00:00
db:	JVNDB	id:	JVNDB-2008-005894	date:	2012-12-20T00:00:00
db:	PACKETSTORM	id:	67284	date:	2008-06-13T16:33:08
db:	CNNVD	id:	CNNVD-200806-239	date:	2008-06-17T00:00:00
db:	NVD	id:	CVE-2008-2743	date:	2008-06-17T15:41:00