Thank you for your feedback



Lexmark Security Advisory: Stored Cross Site Scripting Vulnerabilities (CVE-2020-10093, CVE-2020-10094)

Document ID:TE936

Usergroup :External
  Languages  
  Properties  

Solution

Lexmark Security Advisory:

 Revision:  1.1
 Last update:     20-April-2020
 Public Release Date:  27-April-2020

   

 

Summary

 
A couple of stored cross site scripting vulnerabilities have been identified on older Lexmark devices.

 

 

References

 
CVE: CVE-2020-10093, CVE-2020-10094

 

 

Details

 
A couple of stored cross site scripting vulnerabilities have been identified in the embedded web server used in
older Lexmark devices. The vulnerability can be used to attack the user’s browser, exposing session credentials
and other information accessible to the browser.
 

CVE-2020-10093
 

CVSSv3 Base Score 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6  
Exploitability Subscore: 2.1  

  

CVE-2020-10094
 

CVSSv3 Base Score 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6  
Exploitability Subscore: 2.1  

 

CVSSv3 scores are calculated in accordance with CVSS version 3.1 (https://www.first.org/cvss/user-guide)

 

Impact
 

Successful exploitation of this vulnerability can lead to disclosure of information accessible to the browser.

 

 

Affected Products

 
CVE-2020-10093

This issue only affects discontinued products, including the Pro910 series inkjet. Currently supported devices
are not vulnerable to this issue.

Lexmark recommends you replace any affected devices.

 
CVE-2020-10094

To determine a devices firmware level, select the Settings > Reports > Menu Setting Page menu item
from the operator panel.

If the firmware level listed under Device Information matches any level under
Affected Releases, then upgrade to a Fixed Release.


Lexmark Models Affected Releases Fixed Releases
CS31x LW74.VYL.P272 and previous LW74.VYL.P273 and later
CS41x LW74.VY2.P272 and previous LW74.VY2.P273 and later
CS51x LW74.VY4.P272 and previous LW74.VY4.P273 and later
CX310 LW74.GM2.P272 and previous LW74.GM2.P273 and later
CX410 & XC2130 LW74.GM4.P272 and previous LW74.GM4.P273 and later
CX510 & XC2132 LW74.GM7.P272 and previous LW74.GM7.P273 and later
MS310, MS312, MS317 LW74.PRL.P272 and previous LW74.PRL.P273 and later
MS410, M1140 LW74.PRL.P272 and previous LW74.PRL.P273 and later
MS315, MS415, MS417 LW74.TL2.P272 and previous LW74.TL2.P273 and later
MS51x, MS610dn, MS617 LW74.PR2.P272 and previous LW74.PR2.P273 and later
M1145, M3150dn LW74.PR2.P272 and previous LW74.PR2.P273 and later
MS610de, M3150 LW74.PR4.P272 and previous LW74.PR4.P273 and later
MS71x,M5163dn LW74.DN2.P272 and previous LW74.DN2.P273 and later
MS810, MS811, MS812, MS817, MS818 LW74.DN2.P272 and previous LW74.DN2.P273 and later
MS810de, M5155, M5163 LW74.DN4.P272 and previous LW74.DN4.P273 and later
MS812de, M5170 LW74.DN7.P272 and previous LW74.DN7.P273 and later
MS91x LW74.SA.P272 and previous LW74.SA.P273 and later
MX31x, XM1135 LW74.SB2.P272 and previous LW74.SB2.P273 and later
MX410, MX510 & MX511 LW74.SB4.P272 and previous LW74.SB4.P273 and later
XM1140, XM1145 LW74.SB4.P272 and previous LW74.SB4.P273 and later
MX610 & MX611 LW74.SB7.P272 and previous LW74.SB7.P273 and later
XM3150 LW74.SB7.P272 and previous LW74.SB7.P273 and later
MX71x, MX81x LW74.TU.P272 and previous LW74.TU.P273 and later
XM51xx & XM71xx LW74.TU.P272 and previous LW74.TU.P273 and later
MX91x & XM91x LW74.MG.P272 and previous LW74.MG.P273 and later
MX6500e LW74.JD.P272 and previous LW74.JD.P273 and later
C746 LHS60.CM2.P737 and previous LHS60.CM2.P738 and later
C748, CS748 LHS60.CM4.P737 and previous LHS60.CM4.P738 and later
C792, CS796 LHS60.HC.P737 and previous LHS60.HC.P738 and later
C925 LHS60.HV.P737 and previous LHS60.HV.P738 and later
C950 LHS60.TP.P737 and previous LHS60.TP.P738 and later
X548 & XS548 LHS60.VK.P737 and previous LHS60.VK.P738 and later
X74x & XS748 LHS60.NY.P737 and previous LHS60.NY.P738 and later

X792 & XS79x

LHS60.MR.P737 and previous LHS60.MR.P738 and later
X925 & XS925 LHS60.HK.P737 and previous LHS60.HK.P738 and later
X95x & XS95x LHS60.TQ.P737 and previous LHS60.TQ.P738 and later
6500e LHS60.JR.P737 and previous LHS60.JR.P738 and later
C734 LR.SK.P824 and previous Contact Lexmark
C736 LR.SKE.P824 and previous Contact Lexmark
E46x LR.LBH.P824 and previous Contact Lexmark
T65x LR.JP.P824 and previous Contact Lexmark
X46x LR.BS.P824 and previous Contact Lexmark
X65x  LR.MN.P824 and previous Contact Lexmark
X73x LR.FL.P824 and previous Contact Lexmark
W850 LP.JB.P823 and previous Contact Lexmark
X86x LP.SP.P823 and previous Contact Lexmark

 

 

Obtained Updated Software


To obtain firmware that resolves this issue or if you have special code, please contact Lexmark’s Technical
Support Center at http://support.lexmark.com to find your local support center.

 

 

Workarounds


Lexmark recommends a firmware update if your device has affected firmware.

 

 

 

Exploitation and Public Announcements


Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this
advisory.

Lexmark would like to thank Tim Tepatti for bringing this issue to our attention.

 

 

 

Status of this Notice:


THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR
WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

 

  

Distribution


This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts
Future updates to this document will be posted on Lexmark’s web site at the same location.

 

 

Revision History

 

Revision Date Reason
1.1 27 - April - 2020 Initial Public Release

 

 Top



Link:
Please enter the email address you would like to send a copy of this page to.