CVE-2009-2684 – HP LaserJet Printers - Multiple Persistent Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-2684
Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an Apply action to the support_param.html/config script. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Jetdirect y Embedded Web Server (EWS) sobre ciertas HP LaserJet e impresoras Color LaserJet, y HP Digital Senders, permiten a atacantes remotos inyectar código web o HTML a su elección a través de (1) Product_URL o (2)parámetro Tech_URL en una acción Apply en el código support_param.html/config. • https://www.exploit-db.com/exploits/10011 https://www.exploit-db.com/exploits/10055 http://dsecrg.com/pages/vul/show.php?id=148 http://marc.info/?l=bugtraq&m=125493484205823&w=2 http://secunia.com/advisories/36969 http://www.securityfocus.com/archive/1/507038/100/0/threaded http://www.securityfocus.com/bid/36613 http://www.vupen.com/english/advisories/2009/2850 https://exchange.xforce.ibmcloud.com/vulnerabilities/53677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-0940
https://notcve.org/view.php?id=CVE-2009-0940
Multiple cross-site request forgery (CSRF) vulnerabilities in the HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders allow remote attackers to hijack the intranet connectivity of arbitrary users for requests that (1) print documents via unknown vectors, (2) modify the network configuration via a NetIPChange request to hp/device/config_result_YesNo.html/config, or (3) change the password via the Password and ConfirmPassword parameters to hp/device/set_config_password.html/config. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders, permiten a atacantes remotos (1) imprimir documentos mediante vectores desconocidos, (2) modificar la configuración de red mediante una petición NetIPChange a hp/device/config_result_YesNo.html/config o (3) cambiar la contraseña mediante los parámetros Password y ConfirmPassword a hp/device/set_config_password.html/config. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566 http://osvdb.org/52847 http://osvdb.org/52848 http://osvdb.org/52849 http://www.louhinetworks.fi/advisory/HP_20090317.txt http://www.securityfocus.com/archive/1/501884/100/0/threaded http://www.securityfocus.com/bid/34143 http://www.vupen.com/english/advisories/2009/0754 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2009-0941
https://notcve.org/view.php?id=CVE-2009-0941
The HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders has no management password by default, which makes it easier for remote attackers to obtain access. El HP Embedded Web Server (EWS) en HP LaserJet Printers, Edgeline Printers, y Digital Senders no tiene contraseña de administración por defecto, lo que facilita a atacantes remotos el obtener acceso. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566 http://www.louhinetworks.fi/advisory/HP_20090317.txt http://www.securityfocus.com/archive/1/501884/100/0/threaded http://www.vupen.com/english/advisories/2009/0754 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2008-4419
https://notcve.org/view.php?id=CVE-2008-4419
Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI. Vulnerabilidad de salto de directorio en la interfaz de administración Web HP JetDirect en el servidor web empotrado HP-ChaiSOE v1.0 en las LaserJet 9040mfp, LaserJet 9050mfp y Color LaserJet 9500mfp anteriores al software empotrado 08.110.9; LaserJet 4345mfp y 9200C Digital Sender anteriores al software empotrado 09.120.9; Color LaserJet 4730mfp anterior al software empotrado 46.200.9; LaserJet 2410, LaserJet 2420 y LaserJet 2430 anterior al software empotrado 20080819 SPCL112A; LaserJet 4250 y LaserJet 4350 anterior al software empotrado 20080819 SPCL015A; y LaserJet 9040 y LaserJet 9050 anterior al software empotrado 20080819 SPCL110A; permite a atacantes remotos leer ficheros arbitrario a través de secuencias de salto de directorio en el URI. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905 http://secunia.com/advisories/33779 http://www.securityfocus.com/archive/1/500657/100/0/threaded http://www.securityfocus.com/bid/33611 http://www.securitytracker.com/id?1021687 http://www.vupen.com/english/advisories/2009/0341 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •