Skip to Content Information Center
Lexmark B2236

Lexmark B2236

Lexmark Security Advisory: Cross Site Request Forgery Vulnerability (CVE-2020-13481)

Lexmark Security Advisory:

Revision: 1.1
Last update: 22-June-2020
Public Release Date: 26-June-2020

Summary

A stored cross site scripting vulnerability has been identified in Lexmark devices.

References

CVE: CVE-2020-13481

Details

A stored cross site scripting vulnerability has been identified in the embedded web server used in Lexmark devices. The vulnerability can be used to attack the user's browser, exposing session credentials and other information accessible to the browser.

CVSSv3 Base Score5.7(AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Impact Subscore:3.6
Exploitability Subscore:2.1

CVSSv3 scores are calculated in accordance with CVSS version 3.1 (https://www.first.org/cvss/user-guide)

Impact

Successful exploitation of this vulnerability can lead to disclosure of information accessible to the browser.

Affected Products

To determine a device's firmware level, select the Settings > Reports > Menu Setting Page menu item from the operator panel.

If the firmware level listed under Device Information matches any level under Affected Releases, then upgrade to a Fixed Release.

Lexmark ModelsAffected ReleasesFixed Releases
B2236MSLSG.073.022 – 073.023 AND 072.209 and previousMSLSG.072.210 – 072.224 AND 073.225 and later
MS331, MS431MSLBD.073.022 – 073.023 AND 072.209 and previousMSLBD.072.210 – 072.224 AND 073.225 and later
M1241MSLBD.073.022 – 073.023 AND 072.209 and previousMSLBD.072.210 – 072.224 AND 073.225 and later
B3442, B3340MSLBD.073.022 – 073.023 AND 072.209 and previousMSLBD.072.210 – 072.224 AND 073.225 and later
MB2236MXLSG.073.022 – 073.023 AND 072.209 and previousMXLSG.072.210 – 072.224 AND 073.225 and later
MX431, MX331MXLBD.073.022 – 073.023 AND 072.209 and previousMXLBD.072.210 – 072.224 AND 073.225 and later
MB3442MXLBD.073.022 – 073.023 AND 072.209 and previousMXLBD.072.210 – 072.224 AND 073.225 and later
MS521MSNGM.073.022 – 073.023 AND 072.209 and previousMSNGM.072.210 – 072.224 AND 073.225 and later
MS621, MS622MSTGM.073.022 – 073.023 AND 072.209 and previousMSTGM.072.210 – 072.224 AND 073.225 and later
M1246, M3250MSTGM.073.022 – 073.023 AND 072.209 and previousMSTGM.072.210 – 072.224 AND 073.225 and later
B2546, B2650MSTGM.073.022 – 073.023 AND 072.209 and previousMSTGM.072.210 – 072.224 AND 073.225 and later
MX421, MX521, MX522, MX622MXTGM.073.022 – 073.023 AND 072.209 and previousMXTGM.072.210 – 072.224 AND 073.225 and later
XM1242, XM1246, XM3250MXTGM.073.022 – 073.023 AND 072.209 and previousMXTGM.072.210 – 072.224 AND 073.225 and later
MB2546, MB2650MXTGM.073.022 – 073.023 AND 072.209 and previousMXTGM.072.210 – 072.224 AND 073.225 and later
MX321MXNGM.073.022 – 073.023 AND 072.209 and previousMXNGM.072.210 – 072.224 AND 073.225 and later
MB2338MXNGM.073.022 – 073.023 AND 072.209 and previousMXNGM.072.210 – 072.224 AND 073.225 and later
MS725, MS821MSNGW.073.022 – 073.023 AND 072.209 and previousMSNGW.072.210 – 072.224 AND 073.225 and later
MS822, MS823, MS825, MS826MSTGW.073.022 – 073.023 AND 072.209 and previousMSTGW.072.210 – 072.224 AND 073.225 and later
M5255, M5270MSTGW.073.022 – 073.023 AND 072.209 and previousMSTGW.072.210 – 072.224 AND 073.225 and later
B2865MSTGW.073.022 – 073.023 AND 072.209 and previousMSTGW.072.210 – 072.224 AND 073.225 and later
MX721, MX722, MX822, MX826MXTGW.073.022 – 073.023 AND 072.209 and previousMXTGW.072.210 – 072.224 AND 073.225 and later
XM5365, XM7355, XM7370MXTGW.073.022 – 073.023 AND 072.209 and previousMXTGW.072.210 – 072.224 AND 073.225 and later
C3426CSLBN.073.022 – 073.023 AND 072.209 and previousCSLBN.072.210 – 072.224 AND 073.225 and later
CS431CSLBN.073.022 – 073.023 AND 072.209 and previousCSLBN.072.210 – 072.224 AND 073.225 and later
CS331CSLBL.073.022 – 073.023 AND 072.209 and previousCSLBL.072.210 – 072.224 AND 073.225 and later
C3224CSLBL.073.022 – 073.023 AND 072.209 and previousCSLBL.072.210 – 072.224 AND 073.225 and later
C3326CSLBL.073.022 – 073.023 AND 072.209 and previousCSLBL.072.210 – 072.224 AND 073.225 and later
MC3426CXLBN.073.022 – 073.023 AND 072.209 and previousCXLBN.072.210 – 072.224 AND 073.225 and later
CX431CXLBN.073.022 – 073.023 AND 072.209 and previousCXLBN.072.210 – 072.224 AND 073.225 and later
MC3326, MC3224CXLBL.073.022 – 073.023 AND 072.209 and previousCXLBL.072.210 – 072.224 AND 073.225 and later
CX331CXLBL.073.022 – 073.023 AND 072.209 and previousCXLBL.072.210 – 072.224 AND 073.225 and later
CS622CSTZJ.073.022 – 073.023 AND 072.209 and previousCSTZJ.072.210 – 072.224 AND 073.225 and later
C2240CSTZJ.073.022 – 073.023 AND 072.209 and previousCSTZJ.072.210 – 072.224 AND 073.225 and later
CS421, CS521CSNZJ.073.022 – 073.023 AND 072.209 and previousCSNZJ.072.210 – 072.224 AND 073.225 and later
C2535, C2325, C2425CSNZJ.073.022 – 073.023 AND 072.209 and previousCSNZJ.072.210 – 072.224 AND 073.225 and later
CX522, CX622, CX625CXTZJ.073.022 – 073.023 AND 072.209 and previousCXTZJ.072.210 – 072.224 AND 073.225 and later
XC2235, XC4240CXTZJ.073.022 – 073.023 AND 072.209 and previousCXTZJ.072.210 – 072.224 AND 073.225 and later
MC2535, MC2640CXTZJ.073.022 – 073.023 AND 072.209 and previousCXTZJ.072.210 – 072.224 AND 073.225 and later
CX421CXNZJ.073.022 – 073.023 AND 072.209 and previousCXNZJ.072.210 – 072.224 AND 073.225 and later
MC2325, MC2425CXNZJ.073.022 – 073.023 AND 072.209 and previousCXNZJ.072.210 – 072.224 AND 073.225 and later
CX820, CX825, CX860CXTPP.073.022 – 073.023 AND 072.209 and previousCXTPP.072.210 – 072.224 AND 073.225 and later
XC6152, XC8155, XC8160CXTPP.073.022 – 073.023 AND 072.209 and previousCXTPP.072.210 – 072.224 AND 073.225 and later
CS820CSTPP.073.022 – 073.023 AND 072.209 and previousCSTPP.072.210 – 072.224 AND 073.225 and later
C6160CSTPP.073.022 – 073.023 AND 072.209 and previousCSTPP.072.210 – 072.224 AND 073.225 and later
CS720, CS725CSTAT.073.022 – 073.023 AND 072.209 and previousCSTAT.072.210 – 072.224 AND 073.225 and later
C4150CSTAT.073.022 – 073.023 AND 072.209 and previousCSTAT.072.210 – 072.224 AND 073.225 and later
CX725CXTAT.073.022 – 073.023 AND 072.209 and previousCXTAT.072.210 – 072.224 AND 073.225 and later
XC4140, XC4150CXTAT.073.022 – 073.023 AND 072.209 and previousCXTAT.072.210 – 072.224 AND 073.225 and later
CS921, CS923CSTMH.073.022 – 073.023 AND 072.209 and previousCSTMH.072.210 – 072.224 AND 073.225 and later
CX921, CX922, CX923, CX924CXTMH.073.022 – 073.023 AND 072.209 and previousCXTMH.072.210 – 072.224 AND 073.225 and later
XC92xxCXTMH.073.022 – 073.023 AND 072.209 and previousCXTMH.072.210 – 072.224 AND 073.225 and later
CS31xLW75.VYL.P278 and previousLW75.VYL.P279 and later
CS41xLW75.VY2.P278 and previousLW75.VY2.P279 and later
CS51xLW75.VY4.P278 and previousLW75.VY4.P279 and later
CX310LW75.GM2.P278 and previous LW75.GM2.P279 and later
CX410 & XC2130LW75.GM4.P278 and previous LW75.GM4.P279 and later
CX510 & XC2132LW75.GM7.P278 and previous LW75.GM7.P279 and later
MS310, MS312, MS317LW75.PRL.P278 and previous LW75.PRL.P279 and later
MS410, M1140LW75.PRL.P278 and previous LW75.PRL.P279 and later
MS315, MS415, MS417LW75.TL2.P278 and previous LW75.TL2.P279 and later
MS51x, MS610dn, MS617LW75.PR2.P278 and previous LW75.PR2.P279 and later
M1145, M3150dnLW75.PR2.P278 and previous LW75.PR2.P279 and later
MS610de, M3150LW75.PR4.P278 and previous LW75.PR4.P279 and later
MS810, MS811, MS812, MS817, MS818LW75.DN2.P278 and previous LW75.DN2.P279 and later
MS810de, M5155, M5163LW75.DN4.P278 and previous LW75.DN4.P279 and later
MS812de, M5170LW75.DN7.P278 and previous LW75.DN7.P279 and later
MS91xLW75.SA.P278 and previous LW75.SA.P279 and later
MX31x, XM1135LW75.SB2.P278 and previous LW75.SB2.P279 and later
MX410, MX510 & MX511LW75.SB4.P278 and previous LW75.SB4.P279 and later
XM1140, XM1145LW75.SB4.P278 and previous LW75.SB4.P279 and later
MX610 & MX611LW75.SB7.P278 and previous LW75.SB7.P279 and later
XM3150LW75.SB7.P278 and previous LW75.SB7.P279 and later
MX71x, MX81xLW75.TU.P278 and previous LW75.TU.P279 and later
XM51xx & XM71xxLW75.TU.P278 and previous LW75.TU.P279 and later
MX91x & XM91xLW75.MG.P278 and previous LW75.MG.P279 and later
MX6500eLW75.JD.P278 and previous LW75.JD.P279 and later
C746LHS60.CM2.P738 and previous LHS60.CM2.P739 and later
C748, CS748LHS60.CM4.P738 and previous LHS60.CM4.P739 and later
C792, CS796LHS60.HC.P738 and previous LHS60.HC.P739 and later
C925LHS60.HV.P738 and previous LHS60.HV.P739 and later
C950LHS60.TP.P738 and previous LHS60.TP.P739 and later
X548 & XS548LHS60.VK.P738 and previous LHS60.VK.P739 and later
X74x & XS748LHS60.NY.P738 and previous LHS60.NY.P739 and later
X792 & XS79xLHS60.MR.P738 and previous LHS60.MR.P739 and later
X925 & XS925LHS60.HK.P738 and previous LHS60.HK.P739 and later
X95x & XS95xLHS60.TQ.P738 and previous LHS60.TQ.P739 and later
6500eLHS60.JR.P738 and previous LHS60.JR.P739 and later
C734LR.SK.P825 and previous LR.SK.P826 and later
C736LR.SKE.P825 and previous LR.SKE.P826 and later
E46xLR.LBH.P825 and previous LR.LBH.P826 and later
T65xLR.JP.P825 and previous LR.JP.P826 and later
X46xLR.BS.P825 and previous LR.BS.P826 and later
X65xLR.MN.P825 and previous LR.MN.P826 and later
X73xLR.FL.P825 and previous LR.FL.P826 and later
W850LP.JB.P824 and previous LP.JB.P825 and later
X86xLP.SP.P824 and previous LP.SP.P825 and later

Obtained Updated Software

To obtain firmware that resolves this issue or if you have special code, please contact Lexmark’s Technical Support Center at http://support.lexmark.com to find your local support center.

Workarounds

Lexmark recommends a firmware update if your device has affected firmware.

Exploitation and Public Announcements

Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory.

Lexmark would like to thank Daniel Reutter of SySS GmbH for bringing this issue to our attention.

Status of this Notice:

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts Future updates to this document will be posted on Lexmark’s web site at the same location.

Revision History

RevisionDateReason
1.126 - June- 2020Initial Public Release

Top

LEGACY ID: TE940

Was dit artikel nuttig?
Top