ID
VAR-202003-0129
CVE
CVE-2020-10670
TITLE
Canon Oce Colorwave 500 Cross-site scripting vulnerabilities in printers
Trust: 0.8
DESCRIPTION
The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in the parameter settingId of the settingDialogContent.jsp page. NOTE: this is fixed in the latest version. Canon Oce Colorwave 500 A cross-site scripting vulnerability exists in the printer.Information may be obtained and tampered with. Canon Oce Colorwave 500 is a printer from Canon, Japan. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code. # Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities # Exploit Author: Giuseppe Calì, Marco Ortisi # Authors blog: https://www.redtimmy.com # Vendor Homepage: https://www.canon.com # Software Link: https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM # Version: 4.0.0.0 # CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671 We have recently registered five CVE(s) affecting the Oce Colorwave 500 printer. CVE-2020-10669 is an authentication bypass allowing an attacker to access documents that have been uploaded to the printer. As the documents remain stored in the system even after they have been printed (depending on the printer's configuration), a malicious insider may be able to access documents printed in the past. CVE-2020-10667 is a Stored XSS on the “/TemplateManager/indexExternalLocation.jsp” page. CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp” and “/SettingsEditor/settingDialogContent.jsp”. Finally CVE-10671 is a system-wide CSRF due to the absence of any form of nonce or countermeasure protecting against Cross Site Request Forgery. More details and full story here: https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/
Trust: 2.25
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | canon | model: | oce colorwave 500 | scope: | lte | version: | 4.0.0.0 | Trust: 1.0 |
| vendor: | canon | model: | oce colorwave 500 | scope: | eq | version: | 4.0.0.0 | Trust: 0.8 |
| vendor: | canon | model: | oce colorwave | scope: | eq | version: | 5004.0.0.0 | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-79 | Trust: 1.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
XSS
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | Oce ColorWave 500 | url: | http://www.canon-pps.co.jp/products/old-products/ColorWave500/index.html | Trust: 0.8 |
| title: | Patch for Canon Oce Colorwave 500 cross-site scripting vulnerability (CNVD-2020-18988) | url: | https://www.cnvd.org.cn/patchInfo/show/210487 | Trust: 0.6 |
| title: | Canon Oce Colorwave 500 Fixes for cross-site scripting vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112709 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2020-10670 | Trust: 3.1 |
| db: | PACKETSTORM | id: | 156833 | Trust: 2.5 |
| db: | JVNDB | id: | JVNDB-2020-003091 | Trust: 0.8 |
| db: | CNVD | id: | CNVD-2020-18988 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202003-1227 | Trust: 0.6 |
REFERENCES
| url: | http://packetstormsecurity.com/files/156833/oce-colorwave-500-csrf-xss-authentication-bypass.html | Trust: 2.4 |
| url: | https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/ | Trust: 1.7 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2020-10670 | Trust: 1.5 |
| url: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10670 | Trust: 0.8 |
| url: | https://global.canon/ | Trust: 0.6 |
| url: | https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/https | Trust: 0.6 |
| url: | https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?product%3c%3eprd_id=845524441910378&sku%3c%3esku_id=1689949372031068&folder%3c%3efolder_id=2534374302162637&bmuid=mpykkhm | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2020-10669 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2020-10671 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2020-10668 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2020-10667 | Trust: 0.1 |
| url: | https://www.redtimmy.com | Trust: 0.1 |
| url: | https://www.canon.com | Trust: 0.1 |
CREDITS
Giuseppe Cali,Marco Ortisi, redtimmysec
Trust: 0.6
SOURCES
| db: | CNVD | id: | CNVD-2020-18988 |
| db: | JVNDB | id: | JVNDB-2020-003091 |
| db: | PACKETSTORM | id: | 156833 |
| db: | CNNVD | id: | CNNVD-202003-1227 |
| db: | NVD | id: | CVE-2020-10670 |
LAST UPDATE DATE
2024-11-23T21:36:04.641000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2020-18988 | date: | 2020-03-24T00:00:00 |
| db: | JVNDB | id: | JVNDB-2020-003091 | date: | 2020-04-03T00:00:00 |
| db: | CNNVD | id: | CNNVD-202003-1227 | date: | 2020-03-24T00:00:00 |
| db: | NVD | id: | CVE-2020-10670 | date: | 2024-11-21T04:55:48.763 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2020-18988 | date: | 2020-03-24T00:00:00 |
| db: | JVNDB | id: | JVNDB-2020-003091 | date: | 2020-04-03T00:00:00 |
| db: | PACKETSTORM | id: | 156833 | date: | 2020-03-19T22:03:23 |
| db: | CNNVD | id: | CNNVD-202003-1227 | date: | 2020-03-19T00:00:00 |
| db: | NVD | id: | CVE-2020-10670 | date: | 2020-03-19T19:15:11.927 |