Vulnerability Note VU#108062
Lexmark laser printers contain multiple vulnerabilities
Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks.
CWE-620: Unverified Password Change - CVE-2013-6032
Certain models of Lexmark laser printers and MarkNet devices are vulnerable to an attack which allows a remote unauthenticated attacker to change the administrative password of the printer's web administration interface. The interface does not perform sufficient validation of the vac.255.GENPASSWORD parameter in POST requests to the /cgi-bin/postpf/cgi-bin/dynamic/config/config.html page, allowing an unauthenticated remote attacker to reset the administrative password to an empty string.
An attacker may be able to run arbitrary script in the context of a victim's browser. The attacker may also be able to gain full administrative control of the printer.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Lexmark International||Affected||16 Oct 2013||24 Jan 2014|
CVSS Metrics (Learn More)
Thanks to Jeff Popio for reporting this vulnerability.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2013-6032 CVE-2013-6033
- Date Public: 31 Jan 2014
- Date First Published: 31 Jan 2014
- Date Last Updated: 31 Jan 2014
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.