Sign-up

ID

VAR-202003-0190


CVE

CVE-2020-10671


TITLE

Canon Oce Colorwave 500 Cross-site request forgery vulnerability in printers

Trust: 0.8

sources: JVNDB: JVNDB-2020-003092

DESCRIPTION

The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missing any form of CSRF protections. This is a system-wide issue. An attacker could perform administrative actions by targeting a logged-in administrative user. NOTE: this is fixed in the latest version. Canon Oce Colorwave 500 A cross-site request forgery vulnerability exists in the printer.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Canon Oce Colorwave 500 is a printer from Canon, Japan. The vulnerability stems from the program's lack of any form of cross-site request forgery protection. Attackers can use this vulnerability to perform management operations. # Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities # Exploit Author: Giuseppe Calì, Marco Ortisi # Authors blog: https://www.redtimmy.com # Vendor Homepage: https://www.canon.com # Software Link: https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM # Version: 4.0.0.0 # CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671 We have recently registered five CVE(s) affecting the Oce Colorwave 500 printer. CVE-2020-10669 is an authentication bypass allowing an attacker to access documents that have been uploaded to the printer. As the documents remain stored in the system even after they have been printed (depending on the printer's configuration), a malicious insider may be able to access documents printed in the past. CVE-2020-10667 is a Stored XSS on the “/TemplateManager/indexExternalLocation.jsp” page. CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp” and “/SettingsEditor/settingDialogContent.jsp”. More details and full story here: https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/

Trust: 2.25

sources: NVD: CVE-2020-10671 // JVNDB: JVNDB-2020-003092 // CNVD: CNVD-2020-18987 // PACKETSTORM: 156833

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-18987

AFFECTED PRODUCTS

vendor:canonmodel:oce colorwave 500scope:lteversion:4.0.0.0

Trust: 1.0

vendor:canonmodel:oce colorwave 500scope:eqversion:4.0.0.0

Trust: 0.8

vendor:canonmodel:oce colorwavescope:eqversion:5004.0.0.0

Trust: 0.6

sources: CNVD: CNVD-2020-18987 // JVNDB: JVNDB-2020-003092 // NVD: CVE-2020-10671

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-10671
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-003092
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-18987
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202003-1229
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-10671
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003092
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-18987
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-10671
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003092
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-18987 // JVNDB: JVNDB-2020-003092 // CNNVD: CNNVD-202003-1229 // NVD: CVE-2020-10671

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2020-003092 // NVD: CVE-2020-10671

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1229

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202003-1229

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003092

PATCH
title:Oce ColorWave 500url:http://www.canon-pps.co.jp/products/old-products/ColorWave500/index.html
Trust: 0.8
title:Patch for Canon Oce Colorwave 500 CSRF Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/210467
Trust: 0.6
title:Canon Oce Colorwave 500 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112711
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-18987 // 
            
            
            
            JVNDB: JVNDB-2020-003092 // 
            
            
            
            CNNVD: CNNVD-202003-1229

EXTERNAL IDS
db:PACKETSTORMid:156833
Trust: 3.1
db:NVDid:CVE-2020-10671
Trust: 3.1
db:JVNDBid:JVNDB-2020-003092
Trust: 0.8
db:CNVDid:CNVD-2020-18987
Trust: 0.6
db:CNNVDid:CNNVD-202003-1229
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-18987 // 
            
            
            
            JVNDB: JVNDB-2020-003092 // 
            
            
            
            PACKETSTORM: 156833 // 
            
            
            
            CNNVD: CNNVD-202003-1229 // 
            
            
            
            NVD: CVE-2020-10671

REFERENCES
url:http://packetstormsecurity.com/files/156833/oce-colorwave-500-csrf-xss-authentication-bypass.html
Trust: 3.0
url:https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/
Trust: 2.3
url:https://nvd.nist.gov/vuln/detail/cve-2020-10671
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10671
Trust: 0.8
url:https://global.canon/
Trust: 0.6
url:https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?product%3c%3eprd_id=845524441910378&sku%3c%3esku_id=1689949372031068&folder%3c%3efolder_id=2534374302162637&bmuid=mpykkhm
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-10669
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-10668
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-10667
Trust: 0.1
url:https://www.redtimmy.com
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-10670
Trust: 0.1
url:https://www.canon.com
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-18987 // 
            
            
            
            JVNDB: JVNDB-2020-003092 // 
            
            
            
            PACKETSTORM: 156833 // 
            
            
            
            CNNVD: CNNVD-202003-1229 // 
            
            
            
            NVD: CVE-2020-10671

CREDITS
Giuseppe Cali,Marco Ortisi, redtimmysec
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202003-1229

SOURCES
db:CNVDid:CNVD-2020-18987
db:JVNDBid:JVNDB-2020-003092
db:PACKETSTORMid:156833
db:CNNVDid:CNNVD-202003-1229
db:NVDid:CVE-2020-10671

LAST UPDATE DATE
2024-11-23T21:36:04.731000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-18987date:2020-03-24T00:00:00
db:JVNDBid:JVNDB-2020-003092date:2020-04-03T00:00:00
db:CNNVDid:CNNVD-202003-1229date:2020-03-24T00:00:00
db:NVDid:CVE-2020-10671date:2024-11-21T04:55:48.910

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-18987date:2020-03-24T00:00:00
db:JVNDBid:JVNDB-2020-003092date:2020-04-03T00:00:00
db:PACKETSTORMid:156833date:2020-03-19T22:03:23
db:CNNVDid:CNNVD-202003-1229date:2020-03-19T00:00:00
db:NVDid:CVE-2020-10671date:2020-03-19T19:15:11.990