# Exploit Author: Giuseppe Calì, Marco Ortisi
# Authors blog: https://www.redtimmy.com
# Vendor Homepage: https://www.canon.com
# Software Link:
https://lfpp.csa.canon.com/tss/tss_product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441910378&SKU%3C%3Esku_id=1689949372031068&FOLDER%3C%3Efolder_id=2534374302162637&bmUID=mpYkKHM
# Version: 4.0.0.0
# CVE: 2020-10667, 2020-10668, 2020-10669, 2020-10670, 2020-10671
We have recently registered five CVE(s) affecting the Oce
Colorwave 500
printer.
CVE-2020-10669 is an authentication bypass allowing an attacker
to
access
documents that have been uploaded to the printer. As the
documents
remain stored
in the system even after they have been printed (depending on
the
printer's
configuration), a malicious insider may be able to access
documents
printed in
the past.
CVE-2020-10667 is a Stored XSS on the
“/TemplateManager/indexExternalLocation.jsp”
page.
CVE-2020-10668 and CVE-10670 are two Reflected XSS on pages
“/home.jsp”
and
“/SettingsEditor/settingDialogContent.jsp”.
Finally CVE-10671 is a system-wide CSRF due to the absence of
any form
of nonce
or countermeasure protecting against Cross Site Request
Forgery.
More details and full story here:
https://www.redtimmy.com/red-teaming/hacking-the-oce-colorwave-printer-when-a-quick-security-assessment-determines-the-success-of-a-red-team-exercise/
Read more https://packetstormsecurity.com/files/156833/ocecolorwave500-xssxsrfbypass.txt
