Details of VAR-202204-1591

ID

VAR-202204-1591

CVE

CVE-2022-25344

TITLE

Kyocera d-COLOR MF3555 Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-61445 // CNNVD: CNNVD-202204-3893

DESCRIPTION

An XSS issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser. olivetti of d-color mf3555 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Kyocera d-COLOR MF3555 is a color multifunction printer from Kyocera Corporation of Japan. An attacker can exploit this vulnerability through the /dvcset/sysset/set. The arg01.hostname field in the cgi post request executes JavaScript code

Trust: 2.25

sources: NVD: CVE-2022-25344 // JVNDB: JVNDB-2022-008679 // CNVD: CNVD-2022-61445 // VULMON: CVE-2022-25344

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-61445

AFFECTED PRODUCTS

vendor:	olivetti	model:	d-color mf3555	scope:	eq	version:	2xd_s000.002.271	Trust: 1.0
vendor:	olivetti	model:	d-color mf3555	scope:	eq	version:	d-color mf3555 firmware 2xd s000.002.271	Trust: 0.8
vendor:	olivetti	model:	d-color mf3555	scope:	eq	version:	-	Trust: 0.8
vendor:	olivetti	model:	d-color mf3555	scope:	-	version:	-	Trust: 0.8
vendor:	kyocera	model:	d-color mf3555 2xd s000.002.271	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-61445 // JVNDB: JVNDB-2022-008679 // NVD: CVE-2022-25344

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-25344
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-25344
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-61445
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202204-3893
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2022-25344
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-25344
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-61445
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-25344
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2022-25344
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-61445 // VULMON: CVE-2022-25344 // JVNDB: JVNDB-2022-008679 // CNNVD: CNNVD-202204-3893 // NVD: CVE-2022-25344

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-008679 // NVD: CVE-2022-25344

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3893

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202204-3893

EXTERNAL IDS

db:	NVD	id:	CVE-2022-25344	Trust: 3.9
db:	JVNDB	id:	JVNDB-2022-008679	Trust: 0.8
db:	CNVD	id:	CNVD-2022-61445	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-3893	Trust: 0.6
db:	VULMON	id:	CVE-2022-25344	Trust: 0.1

sources: CNVD: CNVD-2022-61445 // VULMON: CVE-2022-25344 // JVNDB: JVNDB-2022-008679 // CNNVD: CNNVD-202204-3893 // NVD: CVE-2022-25344

REFERENCES

url:	https://www.gruppotim.it/it/footer/red-team.html	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-25344	Trust: 1.4
url:	https://kyocera.com	Trust: 0.7
url:	https://cxsecurity.com/cveshow/cve-2022-25344/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-61445 // VULMON: CVE-2022-25344 // JVNDB: JVNDB-2022-008679 // CNNVD: CNNVD-202204-3893 // NVD: CVE-2022-25344

SOURCES

db:	CNVD	id:	CNVD-2022-61445
db:	VULMON	id:	CVE-2022-25344
db:	JVNDB	id:	JVNDB-2022-008679
db:	CNNVD	id:	CNNVD-202204-3893
db:	NVD	id:	CVE-2022-25344

LAST UPDATE DATE

2024-08-14T15:27:18.723000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-61445	date:	2022-09-02T00:00:00
db:	VULMON	id:	CVE-2022-25344	date:	2022-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2022-008679	date:	2023-07-28T08:05:00
db:	CNNVD	id:	CNNVD-202204-3893	date:	2022-07-01T00:00:00
db:	NVD	id:	CVE-2022-25344	date:	2022-05-12T20:06:58.393

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-61445	date:	2022-09-02T00:00:00
db:	VULMON	id:	CVE-2022-25344	date:	2022-04-20T00:00:00
db:	JVNDB	id:	JVNDB-2022-008679	date:	2023-07-28T00:00:00
db:	CNNVD	id:	CNNVD-202204-3893	date:	2022-04-20T00:00:00
db:	NVD	id:	CVE-2022-25344	date:	2022-04-20T13:15:07.683