Sign-up

ID

VAR-202003-0127


CVE

CVE-2020-10668


TITLE

Canon Oce Colorwave 500 Cross-site scripting vulnerabilities in printers

Trust: 0.8

sources: JVNDB: JVNDB-2020-003094

DESCRIPTION

The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in /home.jsp. The vulnerable parameter is openSI. NOTE: this is fixed in the latest version. Canon Oce Colorwave 500 is a printer from Canon, Japan. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code. # Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities # Exploit Author: Giuseppe Calì, Marco Ortisi # Authors blog: https://www.redtimmy.com # Vendor Homepage: https://www.canon.com # Software Link: https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM # Version: 4.0.0.0 # CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671 We have recently registered five CVE(s) affecting the Oce Colorwave 500 printer. CVE-2020-10669 is an authentication bypass allowing an attacker to access documents that have been uploaded to the printer. As the documents remain stored in the system even after they have been printed (depending on the printer's configuration), a malicious insider may be able to access documents printed in the past. CVE-2020-10667 is a Stored XSS on the “/TemplateManager/indexExternalLocation.jsp” page. CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp” and “/SettingsEditor/settingDialogContent.jsp”. Finally CVE-10671 is a system-wide CSRF due to the absence of any form of nonce or countermeasure protecting against Cross Site Request Forgery. More details and full story here: https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/

Trust: 2.25

sources: NVD: CVE-2020-10668 // JVNDB: JVNDB-2020-003094 // CNVD: CNVD-2020-18989 // PACKETSTORM: 156833

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-18989

AFFECTED PRODUCTS

vendor:canonmodel:oce colorwave 500scope:lteversion:4.0.0.0

Trust: 1.0

vendor:canonmodel:oce colorwave 500scope:eqversion:4.0.0.0

Trust: 0.8

vendor:canonmodel:oce colorwavescope:eqversion:5004.0.0.0

Trust: 0.6

sources: CNVD: CNVD-2020-18989 // JVNDB: JVNDB-2020-003094 // NVD: CVE-2020-10668

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-10668
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-003094
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-18989
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202003-1226
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2020-10668
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003094
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-18989
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-10668
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003094
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-18989 // JVNDB: JVNDB-2020-003094 // CNNVD: CNNVD-202003-1226 // NVD: CVE-2020-10668

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-003094 // NVD: CVE-2020-10668

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1226

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-1226

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003094

PATCH
title:Oce ColorWave 500url:http://www.canon-pps.co.jp/products/old-products/ColorWave500/index.html
Trust: 0.8
title:Patch for Canon Oce Colorwave 500 Cross-site Scripting Vulnerability (CNVD-2020-18989)url:https://www.cnvd.org.cn/patchInfo/show/210485
Trust: 0.6
title:Canon Oce Colorwave 500 Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112708
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-18989 // 
            
            
            
            JVNDB: JVNDB-2020-003094 // 
            
            
            
            CNNVD: CNNVD-202003-1226

EXTERNAL IDS
db:PACKETSTORMid:156833
Trust: 3.1
db:NVDid:CVE-2020-10668
Trust: 3.1
db:JVNDBid:JVNDB-2020-003094
Trust: 0.8
db:CNVDid:CNVD-2020-18989
Trust: 0.6
db:CNNVDid:CNNVD-202003-1226
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-18989 // 
            
            
            
            JVNDB: JVNDB-2020-003094 // 
            
            
            
            PACKETSTORM: 156833 // 
            
            
            
            CNNVD: CNNVD-202003-1226 // 
            
            
            
            NVD: CVE-2020-10668

REFERENCES
url:http://packetstormsecurity.com/files/156833/oce-colorwave-500-csrf-xss-authentication-bypass.html
Trust: 3.6
url:https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/
Trust: 2.3
url:http://seclists.org/fulldisclosure/2020/mar/24
Trust: 2.2
url:https://nvd.nist.gov/vuln/detail/cve-2020-10668
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10668
Trust: 0.8
url:https://global.canon/
Trust: 0.6
url:https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?product%3c%3eprd_id=845524441910378&sku%3c%3esku_id=1689949372031068&folder%3c%3efolder_id=2534374302162637&bmuid=mpykkhm
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-10669
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-10671
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-10667
Trust: 0.1
url:https://www.redtimmy.com
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-10670
Trust: 0.1
url:https://www.canon.com
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-18989 // 
            
            
            
            JVNDB: JVNDB-2020-003094 // 
            
            
            
            PACKETSTORM: 156833 // 
            
            
            
            CNNVD: CNNVD-202003-1226 // 
            
            
            
            NVD: CVE-2020-10668

CREDITS
Giuseppe Cali,Marco Ortisi, redtimmysec
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202003-1226

SOURCES
db:CNVDid:CNVD-2020-18989
db:JVNDBid:JVNDB-2020-003094
db:PACKETSTORMid:156833
db:CNNVDid:CNNVD-202003-1226
db:NVDid:CVE-2020-10668

LAST UPDATE DATE
2024-11-23T21:36:04.672000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-18989date:2020-03-24T00:00:00
db:JVNDBid:JVNDB-2020-003094date:2020-04-03T00:00:00
db:CNNVDid:CNNVD-202003-1226date:2020-03-24T00:00:00
db:NVDid:CVE-2020-10668date:2024-11-21T04:55:48.467

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-18989date:2020-03-24T00:00:00
db:JVNDBid:JVNDB-2020-003094date:2020-04-03T00:00:00
db:PACKETSTORMid:156833date:2020-03-19T22:03:23
db:CNNVDid:CNNVD-202003-1226date:2020-03-19T00:00:00
db:NVDid:CVE-2020-10668date:2020-03-19T19:15:11.833