Details of VAR-201402-0120

ID

VAR-201402-0120

CVE

CVE-2013-6033

TITLE

Lexmark laser printers contain multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#108062

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities on Lexmark W840 through LS.HA.P252, T64x before LS.ST.P344, C935dn through LC.JO.P091, C920 through LS.TA.P152, C53x through LS.SW.P069, C52x through LS.FA.P150, E450 through LM.SZ.P124, E350 through LE.PH.P129, and E250 through LE.PM.P126 printers allow remote authenticated users to inject arbitrary web script or HTML by using (1) SNMP or (2) the Embedded Web Server (EWS) to set the (a) Contact or (b) Location field. Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks. Lexmark Laser Printers is a laser printer device. The Lexmark Laser Printers management web interface fails to properly filter the user input to the \"Location\" and \"Contact Name\" fields of the \"General Settings\" configuration page, allowing remote attackers to exploit the vulnerability to inject malicious scripts or HTML code when malicious data is viewed. Get sensitive information or hijack user sessions. Lexmark Laser Printers are prone to an HTML-injection vulnerability because they fail to sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible

Trust: 3.15

sources: NVD: CVE-2013-6033 // CERT/CC: VU#108062 // JVNDB: JVNDB-2013-005983 // CNVD: CNVD-2014-00768 // BID: 65277

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-00768

AFFECTED PRODUCTS

vendor:	lexmark	model:	c52x	scope:	lte	version:	ls.fa.p150	Trust: 1.8
vendor:	lexmark	model:	c53x	scope:	lte	version:	ls.sw.p069	Trust: 1.8
vendor:	lexmark	model:	c920	scope:	lte	version:	ls.ta.p152	Trust: 1.8
vendor:	lexmark	model:	c935dn	scope:	lte	version:	lc.jo.p091	Trust: 1.8
vendor:	lexmark	model:	e250	scope:	lte	version:	le.pm.p126	Trust: 1.8
vendor:	lexmark	model:	e350	scope:	lte	version:	le.ph.p129	Trust: 1.8
vendor:	lexmark	model:	e450	scope:	lte	version:	lm.sz.p124	Trust: 1.8
vendor:	lexmark	model:	t64x	scope:	lte	version:	ls.st.p343	Trust: 1.8
vendor:	lexmark	model:	w840	scope:	lte	version:	ls.ha.p252	Trust: 1.8
vendor:	lexmark	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	lexmark	model:	laser printer w840	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	laser printer c920	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	laser printer t64x	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	laser printer c53x	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	laser printer c935dn	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	laser printer c52x	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	laser printer e450	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	laser printer e350	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	laser printer e250	scope:	-	version:	-	Trust: 0.6
vendor:	lexmark	model:	e350	scope:	eq	version:	le.ph.p129	Trust: 0.6
vendor:	lexmark	model:	e250	scope:	eq	version:	le.pm.p126	Trust: 0.6
vendor:	lexmark	model:	c935dn	scope:	eq	version:	lc.jo.p091	Trust: 0.6
vendor:	lexmark	model:	e450	scope:	eq	version:	lm.sz.p124	Trust: 0.6
vendor:	lexmark	model:	c920	scope:	eq	version:	ls.ta.p152	Trust: 0.6
vendor:	lexmark	model:	w840	scope:	eq	version:	ls.ha.p252	Trust: 0.6
vendor:	lexmark	model:	c52x	scope:	eq	version:	ls.fa.p150	Trust: 0.6
vendor:	lexmark	model:	t64x	scope:	eq	version:	ls.st.p343	Trust: 0.6
vendor:	lexmark	model:	c53x	scope:	eq	version:	ls.sw.p069	Trust: 0.6

sources: CERT/CC: VU#108062 // CNVD: CNVD-2014-00768 // JVNDB: JVNDB-2013-005983 // CNNVD: CNNVD-201402-019 // NVD: CVE-2013-6033

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-6033
value:	LOW
Trust: 1.0
NVD:	CVE-2013-6033
value:	LOW
Trust: 0.8
CNVD:	CNVD-2014-00768
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201402-019
value:	LOW
Trust: 0.6

nvd@nist.gov:	CVE-2013-6033
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-00768
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-00768 // JVNDB: JVNDB-2013-005983 // CNNVD: CNNVD-201402-019 // NVD: CVE-2013-6033

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2013-005983 // NVD: CVE-2013-6033

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-019

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201402-019

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-005983

PATCH

title:	TE585 (HTML Vulnerability in 'Contact' and 'Location' Settings)	url:	http://support.lexmark.com/index?page=content&id=TE585&locale=EN&userlocale=EN_US	Trust: 0.8
title:	Lexmark Laser Printers HTML Injection Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/43415	Trust: 0.6

sources: CNVD: CNVD-2014-00768 // JVNDB: JVNDB-2013-005983

EXTERNAL IDS

db:	CERT/CC	id:	VU#108062	Trust: 3.8
db:	NVD	id:	CVE-2013-6033	Trust: 3.3
db:	BID	id:	65277	Trust: 2.5
db:	OSVDB	id:	102752	Trust: 1.6
db:	JVN	id:	JVNVU92568059	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-005983	Trust: 0.8
db:	CNVD	id:	CNVD-2014-00768	Trust: 0.6
db:	CNNVD	id:	CNNVD-201402-019	Trust: 0.6

sources: CERT/CC: VU#108062 // CNVD: CNVD-2014-00768 // BID: 65277 // JVNDB: JVNDB-2013-005983 // CNNVD: CNNVD-201402-019 // NVD: CVE-2013-6033

REFERENCES

url:	http://www.kb.cert.org/vuls/id/108062	Trust: 3.0
url:	http://www.securityfocus.com/bid/65277	Trust: 1.6
url:	http://www.osvdb.org/102752	Trust: 1.6
url:	http://support.lexmark.com/index?page=content&id=te585	Trust: 1.6
url:	about vulnerability notes	Trust: 0.8
url:	contact us about this vulnerability	Trust: 0.8
url:	provide a vendor statement	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6033	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu92568059/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6033	Trust: 0.8
url:	http://www.lexmark.com/	Trust: 0.3

sources: CERT/CC: VU#108062 // CNVD: CNVD-2014-00768 // BID: 65277 // JVNDB: JVNDB-2013-005983 // CNNVD: CNNVD-201402-019 // NVD: CVE-2013-6033

CREDITS

Jeff Popio

Trust: 0.3

sources: BID: 65277

SOURCES

db:	CERT/CC	id:	VU#108062
db:	CNVD	id:	CNVD-2014-00768
db:	BID	id:	65277
db:	JVNDB	id:	JVNDB-2013-005983
db:	CNNVD	id:	CNNVD-201402-019
db:	NVD	id:	CVE-2013-6033

LAST UPDATE DATE

2024-11-23T22:13:50.001000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#108062	date:	2014-01-31T00:00:00
db:	CNVD	id:	CNVD-2014-00768	date:	2014-02-13T00:00:00
db:	BID	id:	65277	date:	2014-01-31T00:00:00
db:	JVNDB	id:	JVNDB-2013-005983	date:	2014-02-05T00:00:00
db:	CNNVD	id:	CNNVD-201402-019	date:	2014-02-08T00:00:00
db:	NVD	id:	CVE-2013-6033	date:	2024-11-21T01:58:39.473

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#108062	date:	2014-01-31T00:00:00
db:	CNVD	id:	CNVD-2014-00768	date:	2014-02-13T00:00:00
db:	BID	id:	65277	date:	2014-01-31T00:00:00
db:	JVNDB	id:	JVNDB-2013-005983	date:	2014-02-05T00:00:00
db:	CNNVD	id:	CNNVD-201402-019	date:	2014-02-08T00:00:00
db:	NVD	id:	CVE-2013-6033	date:	2014-02-04T05:39:08.213