Details of VAR-202003-0126

ID

VAR-202003-0126

CVE

CVE-2020-10667

TITLE

Canon Oce Colorwave 500 Cross-site scripting vulnerabilities in printers

Trust: 0.8

sources: JVNDB: JVNDB-2020-003093

DESCRIPTION

The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Stored XSS in /TemplateManager/indexExternalLocation.jsp. The vulnerable parameter is map(template_name). NOTE: this is fixed in the latest version. Canon Oce Colorwave 500 is a printer from Canon, Japan. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code. # Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities # Exploit Author: Giuseppe Calì, Marco Ortisi # Authors blog: https://www.redtimmy.com # Vendor Homepage: https://www.canon.com # Software Link: https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM # Version: 4.0.0.0 # CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671 We have recently registered five CVE(s) affecting the Oce Colorwave 500 printer. CVE-2020-10669 is an authentication bypass allowing an attacker to access documents that have been uploaded to the printer. As the documents remain stored in the system even after they have been printed (depending on the printer's configuration), a malicious insider may be able to access documents printed in the past. CVE-2020-10667 is a Stored XSS on the “/TemplateManager/indexExternalLocation.jsp” page. CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp” and “/SettingsEditor/settingDialogContent.jsp”. Finally CVE-10671 is a system-wide CSRF due to the absence of any form of nonce or countermeasure protecting against Cross Site Request Forgery. More details and full story here: https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/

Trust: 2.25

sources: NVD: CVE-2020-10667 // JVNDB: JVNDB-2020-003093 // CNVD: CNVD-2020-18990 // PACKETSTORM: 156833

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-18990

AFFECTED PRODUCTS

vendor:	canon	model:	oce colorwave 500	scope:	lte	version:	4.0.0.0	Trust: 1.0
vendor:	canon	model:	oce colorwave 500	scope:	eq	version:	4.0.0.0	Trust: 0.8
vendor:	canon	model:	oce colorwave	scope:	eq	version:	5004.0.0.0	Trust: 0.6

sources: CNVD: CNVD-2020-18990 // JVNDB: JVNDB-2020-003093 // NVD: CVE-2020-10667

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10667
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-003093
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-18990
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202003-1225
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-10667
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-003093
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-18990
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-10667
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-003093
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-18990 // JVNDB: JVNDB-2020-003093 // CNNVD: CNNVD-202003-1225 // NVD: CVE-2020-10667

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-003093 // NVD: CVE-2020-10667

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1225

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-1225

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003093

PATCH

title:	Oce ColorWave 500	url:	http://www.canon-pps.co.jp/products/old-products/ColorWave500/index.html	Trust: 0.8
title:	Patch for Canon Oce Colorwave 500 Cross-site Scripting Vulnerability (CNVD-2020-18990)	url:	https://www.cnvd.org.cn/patchInfo/show/210483	Trust: 0.6

sources: CNVD: CNVD-2020-18990 // JVNDB: JVNDB-2020-003093

EXTERNAL IDS

db:	PACKETSTORM	id:	156833	Trust: 3.1
db:	NVD	id:	CVE-2020-10667	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-003093	Trust: 0.8
db:	CNVD	id:	CNVD-2020-18990	Trust: 0.6
db:	CNNVD	id:	CNNVD-202003-1225	Trust: 0.6

sources: CNVD: CNVD-2020-18990 // JVNDB: JVNDB-2020-003093 // PACKETSTORM: 156833 // CNNVD: CNNVD-202003-1225 // NVD: CVE-2020-10667

REFERENCES

url:	http://packetstormsecurity.com/files/156833/oce-colorwave-500-csrf-xss-authentication-bypass.html	Trust: 3.6
url:	http://seclists.org/fulldisclosure/2020/mar/24	Trust: 2.2
url:	https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10667	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10667	Trust: 0.8
url:	https://global.canon/	Trust: 0.6
url:	https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?product%3c%3eprd_id=845524441910378&sku%3c%3esku_id=1689949372031068&folder%3c%3efolder_id=2534374302162637&bmuid=mpykkhm	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10669	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10671	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10668	Trust: 0.1
url:	https://www.redtimmy.com	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10670	Trust: 0.1
url:	https://www.canon.com	Trust: 0.1

sources: CNVD: CNVD-2020-18990 // JVNDB: JVNDB-2020-003093 // PACKETSTORM: 156833 // CNNVD: CNNVD-202003-1225 // NVD: CVE-2020-10667

CREDITS

Giuseppe Cali,Marco Ortisi, redtimmysec

Trust: 0.6

sources: CNNVD: CNNVD-202003-1225

SOURCES

db:	CNVD	id:	CNVD-2020-18990
db:	JVNDB	id:	JVNDB-2020-003093
db:	PACKETSTORM	id:	156833
db:	CNNVD	id:	CNNVD-202003-1225
db:	NVD	id:	CVE-2020-10667

LAST UPDATE DATE

2024-11-23T21:36:04.700000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-18990	date:	2020-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-003093	date:	2020-04-03T00:00:00
db:	CNNVD	id:	CNNVD-202003-1225	date:	2020-03-24T00:00:00
db:	NVD	id:	CVE-2020-10667	date:	2024-11-21T04:55:48.317

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-18990	date:	2020-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-003093	date:	2020-04-03T00:00:00
db:	PACKETSTORM	id:	156833	date:	2020-03-19T22:03:23
db:	CNNVD	id:	CNNVD-202003-1225	date:	2020-03-19T00:00:00
db:	NVD	id:	CVE-2020-10667	date:	2020-03-19T19:15:11.770