National Cyber-Alert System
Vulnerability Summary for CVE-2009-0940
Original release date:03/18/2009
Last revised:04/02/2009
Source:
US-CERT/NIST
Overview
Multiple cross-site request forgery (CSRF) vulnerabilities in the HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders allow remote attackers to hijack the intranet connectivity of arbitrary users for requests that (1) print documents via unknown vectors, (2) modify the network configuration via a NetIPChange request to hp/device/config_result_YesNo.html/config, or (3) change the password via the Password and ConfirmPassword parameters to hp/device/set_config_password.html/config.
Impact
CVSS Severity (version 2.0):
Impact Subscore:
6.4
Exploitability Subscore:
4.9
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: High
Authentication: Not required to exploit
Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
External Source: VUPEN
Name: ADV-2009-0754
External Source: BID
Name: 34143
External Source: BUGTRAQ
Name: 20090316 HP Laserjet multiple models web management CSRF vulnerability & insecure default configuration
External Source: MISC
Name: http://www.louhinetworks.fi/advisory/HP_20090317.txt
External Source: OSVDB
Name: 52849
External Source: OSVDB
Name: 52848
External Source: OSVDB
Name: 52847
External Source: HP
Name: HPSN-2009-001
Type: Advisory