CVE-2022-25344

{"id": "CVE-2022-25344", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2022-04-20T13:15:07.683", "references": [{"url": "https://www.gruppotim.it/it/footer/red-team.html", "tags": ["Exploit", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An XSS issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser."}, {"lang": "es", "value": "Se ha descubierto un problema de XSS en los dispositivos Olivetti d-COLOR MF3555 2XD_S000.002.271. La aplicaci\u00f3n web no comprueba adecuadamente los par\u00e1metros, enviados en una petici\u00f3n POST /dvcset/sysset/set.cgi a trav\u00e9s del campo arg01.Hostname, antes de guardarlos en el servidor. Adem\u00e1s, el contenido malicioso de JavaScript se refleja en el usuario final y es ejecutado por el navegador web"}], "lastModified": "2022-05-12T20:06:58.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:olivetti:d-color_mf3555_firmware:2xd_s000.002.271:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB1005FD-93A8-4313-8564-B6DF8C83ABFA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:olivetti:d-color_mf3555:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F8D455C6-DDEF-42AE-B4BA-F0B40BD213F6"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}