Oce Colorwave 500 CSRF / XSS / Authentication Bypass Vulnerabilities

# Exploit Title: Océ Colorwave 500 printer: Multiple vulnerabilities
# Exploit Author: Giuseppe Calì, Marco Ortisi
# Authors blog: https://www.redtimmy.com
# Vendor Homepage: https://www.canon.com
# Software Link: 
https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM
# Version: 4.0.0.0
# CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671

We have recently registered five CVE(s) affecting the Oce Colorwave 500 
printer.

CVE-2020-10669 is an authentication bypass allowing an attacker to 
access
documents that have been uploaded to the printer. As the documents 
remain stored
in the system even after they have been printed (depending on the 
printer's
configuration), a malicious insider may be able to access documents 
printed in
the past.

CVE-2020-10667 is a Stored XSS on the 
“/TemplateManager/indexExternalLocation.jsp”
page.

CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages “/home.jsp” 
and
“/SettingsEditor/settingDialogContent.jsp”.

Finally CVE-10671 is a system-wide CSRF due to the absence of any form 
of nonce
or countermeasure protecting against Cross Site Request Forgery.

More details and full story here: 
https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/

#  0day.today [2020-03-22]  #