Details of VAR-202003-0128

ID

VAR-202003-0128

CVE

CVE-2020-10669

TITLE

Canon Oce Colorwave Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003169

DESCRIPTION

The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to authentication bypass on the page /home.jsp. An unauthenticated attacker able to connect to the device's web interface can get a copy of the documents uploaded by any users. NOTE: this is fixed in the latest version. # Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities # Exploit Author: Giuseppe Calì, Marco Ortisi # Authors blog: https://www.redtimmy.com # Vendor Homepage: https://www.canon.com # Software Link: https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM # Version: 4.0.0.0 # CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671 We have recently registered five CVE(s) affecting the Oce Colorwave 500 printer. As the documents remain stored in the system even after they have been printed (depending on the printer's configuration), a malicious insider may be able to access documents printed in the past. CVE-2020-10667 is a Stored XSS on the “/TemplateManager/indexExternalLocation.jsp” page. CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp” and “/SettingsEditor/settingDialogContent.jsp”. Finally CVE-10671 is a system-wide CSRF due to the absence of any form of nonce or countermeasure protecting against Cross Site Request Forgery. More details and full story here: https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/

Trust: 2.25

sources: NVD: CVE-2020-10669 // JVNDB: JVNDB-2020-003169 // CNVD: CNVD-2020-18985 // PACKETSTORM: 156833

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-18985

AFFECTED PRODUCTS

vendor:	canon	model:	oce colorwave 500	scope:	eq	version:	4.0.0.0	Trust: 1.8
vendor:	canon	model:	oce colorwave	scope:	eq	version:	5004.0.0.0	Trust: 0.6

sources: CNVD: CNVD-2020-18985 // JVNDB: JVNDB-2020-003169 // NVD: CVE-2020-10669

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10669
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-003169
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-18985
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202003-1237
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-10669
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-003169
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-18985
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-10669
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-003169
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-18985 // JVNDB: JVNDB-2020-003169 // CNNVD: CNNVD-202003-1237 // NVD: CVE-2020-10669

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2020-003169 // NVD: CVE-2020-10669

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1237

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202003-1237

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003169

PATCH

title:	Oce ColorWave 500	url:	http://www.canon-pps.co.jp/products/old-products/ColorWave500/index.html	Trust: 0.8
title:	Patch for Canon Oce Colorwave 500 has an unknown vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/210503	Trust: 0.6
title:	Canon Oce Colorwave 500 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112718	Trust: 0.6

sources: CNVD: CNVD-2020-18985 // JVNDB: JVNDB-2020-003169 // CNNVD: CNNVD-202003-1237

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10669	Trust: 3.1
db:	PACKETSTORM	id:	156833	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-003169	Trust: 0.8
db:	CNVD	id:	CNVD-2020-18985	Trust: 0.6
db:	CNNVD	id:	CNNVD-202003-1237	Trust: 0.6

sources: CNVD: CNVD-2020-18985 // JVNDB: JVNDB-2020-003169 // PACKETSTORM: 156833 // CNNVD: CNNVD-202003-1237 // NVD: CVE-2020-10669

REFERENCES

url:	http://packetstormsecurity.com/files/156833/oce-colorwave-500-csrf-xss-authentication-bypass.html	Trust: 3.6
url:	http://seclists.org/fulldisclosure/2020/mar/24	Trust: 2.2
url:	https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10669	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10669	Trust: 0.8
url:	https://global.canon/	Trust: 0.6
url:	https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?product%3c%3eprd_id=845524441910378&sku%3c%3esku_id=1689949372031068&folder%3c%3efolder_id=2534374302162637&bmuid=mpykkhm	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10671	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10668	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10667	Trust: 0.1
url:	https://www.redtimmy.com	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10670	Trust: 0.1
url:	https://www.canon.com	Trust: 0.1

sources: CNVD: CNVD-2020-18985 // JVNDB: JVNDB-2020-003169 // PACKETSTORM: 156833 // CNNVD: CNNVD-202003-1237 // NVD: CVE-2020-10669

CREDITS

Giuseppe Cali,Marco Ortisi, redtimmysec

Trust: 0.6

sources: CNNVD: CNNVD-202003-1237

SOURCES

db:	CNVD	id:	CNVD-2020-18985
db:	JVNDB	id:	JVNDB-2020-003169
db:	PACKETSTORM	id:	156833
db:	CNNVD	id:	CNNVD-202003-1237
db:	NVD	id:	CVE-2020-10669

LAST UPDATE DATE

2024-11-23T21:36:04.611000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-18985	date:	2020-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-003169	date:	2020-04-06T00:00:00
db:	CNNVD	id:	CNNVD-202003-1237	date:	2020-03-25T00:00:00
db:	NVD	id:	CVE-2020-10669	date:	2024-11-21T04:55:48.617

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-18985	date:	2020-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-003169	date:	2020-04-06T00:00:00
db:	PACKETSTORM	id:	156833	date:	2020-03-19T22:03:23
db:	CNNVD	id:	CNNVD-202003-1237	date:	2020-03-19T00:00:00
db:	NVD	id:	CVE-2020-10669	date:	2020-03-19T23:15:18.583