Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks.
CWE-620: Unverified Password Change - CVE-2013-6032
Certain models of Lexmark laser printers and MarkNet devices are vulnerable to an attack which allows a remote unauthenticated attacker to change the administrative password of the printer's web administration interface. The interface does not perform sufficient validation of the vac.255.GENPASSWORD parameter in POST requests to the /cgi-bin/postpf/cgi-bin/dynamic/config/config.html page, allowing an unauthenticated remote attacker to reset the administrative password to an empty string.
An attacker may be able to run arbitrary script in the context of a victim's browser. The attacker may also be able to gain full administrative control of the printer.
Apply an Update
Thanks to Jeff Popio for reporting this vulnerability.
This document was written by Todd Lewellen.