CVE-2022-25344

An XSS issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.
References
Link Resource
https://www.gruppotim.it/it/footer/red-team.html Exploit Vendor Advisory
https://www.gruppotim.it/it/footer/red-team.html Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:olivetti:d-color_mf3555_firmware:2xd_s000.002.271:*:*:*:*:*:*:*
cpe:2.3:h:olivetti:d-color_mf3555:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:52

Type Values Removed Values Added
References () https://www.gruppotim.it/it/footer/red-team.html - Exploit, Vendor Advisory () https://www.gruppotim.it/it/footer/red-team.html - Exploit, Vendor Advisory

12 May 2022, 20:06

Type Values Removed Values Added
CPE cpe:2.3:h:kyocera:d-color_mf3555:-:*:*:*:*:*:*:*
cpe:2.3:o:kyocera:d-color_mf3555_firmware:2xd_s000.002.271:*:*:*:*:*:*:*
cpe:2.3:o:olivetti:d-color_mf3555_firmware:2xd_s000.002.271:*:*:*:*:*:*:*
cpe:2.3:h:olivetti:d-color_mf3555:-:*:*:*:*:*:*:*
References (MISC) https://www.gruppotim.it/it/footer/red-team.html - Exploit, Third Party Advisory (MISC) https://www.gruppotim.it/it/footer/red-team.html - Exploit, Vendor Advisory

11 May 2022, 15:15

Type Values Removed Values Added
References
  • {'url': 'https://kyocera.com', 'name': 'https://kyocera.com', 'tags': ['Vendor Advisory'], 'refsource': 'MISC'}

10 May 2022, 16:15

Type Values Removed Values Added
Summary An XSS issue was discovered on Kyocera d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser. An XSS issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.

28 Apr 2022, 15:44

Type Values Removed Values Added
References (MISC) https://www.gruppotim.it/it/footer/red-team.html - (MISC) https://www.gruppotim.it/it/footer/red-team.html - Exploit, Third Party Advisory
References (MISC) https://kyocera.com - (MISC) https://kyocera.com - Vendor Advisory
CWE CWE-79
CPE cpe:2.3:h:kyocera:d-color_mf3555:-:*:*:*:*:*:*:*
cpe:2.3:o:kyocera:d-color_mf3555_firmware:2xd_s000.002.271:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 6.1

20 Apr 2022, 13:28

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-20 13:15

Updated : 2024-11-21 06:52


NVD link : CVE-2022-25344

Mitre link : CVE-2022-25344

CVE.ORG link : CVE-2022-25344


JSON object : View

Products Affected

olivetti

  • d-color_mf3555_firmware
  • d-color_mf3555
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')