Cross-Site Request Forgery in HP Embedded Web Server on HP Printers and Digital Senders
CVE-2009-0940

Currently unrated

Key Information:

Vendor: HP
Status: Laserjet P4010; Laserjet 2600n; Color Laserjet 4370mfp; Laserjet 4200
Vendor: CVE Published:; 18 March 2009

Summary

The HP Embedded Web Server (EWS) on various HP LaserJet Printers, Edgeline Printers, and Digital Senders is susceptible to multiple cross-site request forgery vulnerabilities. Attackers can exploit these weaknesses to perform unauthorized actions on behalf of users. Specifically, they may print documents through unknown vectors, alter network configurations via a specific NetIPChange request, or manipulate user passwords using the Password and ConfirmPassword fields. This creates opportunities for unauthorized access and control over printer settings and user credentials.

References

http://www.vupen.com/english/advisories/2009/0754

vdb-entryx_refsource_VUPEN

http://h20000.www2.hp.com/bizsupport/TechSupport/Document...

vendor-advisoryx_refsource_HP

http://osvdb.org/52848

vdb-entryx_refsource_OSVDB

Timeline

Vulnerability published
Mar 18, 2009
Vulnerability Reserved
Mar 18, 2009