Skip to Content Information Center
Lexmark MS312

Lexmark MS312

Not your product?

Lexmark Security Advisory: Cross Site Scripting vulnerabilities (CVE-2019-19772, CVE-2019-19773)

Lexmark Security Advisory:

Revision: 1.0
Last update: 20 February 2020
Public Release Date: 28 February 2020

Summary

Two Cross Site Scripting vulnerabilities have been identified in older Lexmark devices.

References

CVE: CVE-2019-19772, CVE-2019-19773

Details

CVE-2019-19772

A reflected cross site scripting vulnerability has been identified in the embedded web server used in older generation Lexmark devices. The vulnerability can be used to attack the user’s browser, exposing session credentials and other information accessible to the browser.

CVSSv3.1 Base Score5.7(AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Impact Subscore:3.6
Exploitability Subscore:2.1

CVE-2019-19773

A stored cross site scripting vulnerability has been identified in the embedded web server used in older generation Lexmark devices. The vulnerability can be used to attack the user’s browser, exposing session credentials and other information accessible to the browser.

CVSSv3.1 Base Score5.7(AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Impact Subscore:3.6
Exploitability Subscore:2.1

CVSSv3 scores are calculated in accordance with CVSS version 3.1 (https://www.first.org/cvss/user-guide)

Impact

Successful exploitation of this vulnerability can lead to disclosure of information accessible to the browser, including session hijacking and credential theft.

Affected Products

To determine a device's firmware level, select the Settings > Reports > Menu Setting Page menu item from the operator panel. If the firmware level listed under “Device Information” matches any level under “Affected Releases”, then upgrade to a “Fixed Release”.

Lexmark ModelsAffected ReleasesFixed Releases
CS31xLW74.VYL.P267 and previousLW74.VYL.P268 and later
CS41xLW74.VY2.P267 and previousLW74.VY2.P268 and later
CS51xLW74.VY4.P267 and previousLW74.VY4.P268 and later
CX310LW74.GM2.P267 and previousLW74.GM2.P268 and later
CX410 & XC2130LW74.GM4.P267 and previousLW74.GM4.P268 and later
CX510 & XC2132LW74.GM7.P267 and previousLW74.GM7.P268 and later
MS310, MS312, MS317LW74.PRL.P267 and previousLW74.PRL.P268 and later
MS410, M1140LW74.PRL.P267 and previousLW74.PRL.P268 and later
MS315, MS415, MS417LW74.TL2.P267 and previousLW74.TL2.P268 and later
MS51x, MS610dn, MS617LW74.PR2.P267 and previousLW74.PR2.P268 and later
M1145, M3150dnLW74.PR2.P267 and previousLW74.PR2.P268 and later
MS610de, M3150LW74.PR4.P267 and previousLW74.PR4.P268 and later
MS71x,M5163dnLW74.DN2.P267 and previousLW74.DN2.P268 and later
MS810, MS811, MS812, MS817, MS818LW74.DN2.P267 and previousLW74.DN2.P268 and later
MS810de, M5155, M5163LW74.DN4.P267 and previousLW74.DN4.P268 and later
MS812de, M5170LW74.DN7.P267 and previousLW74.DN7.P268 and later
MS91xLW74.SA.P267 and previousLW74.SA.P268 and later
MX31x, XM1135LW74.SB2.P267 and previousLW74.SB2.P268 and later
MX410, MX510 & MX511LW74.SB4.P267 and previousLW74.SB4.P268 and later
XM1140, XM1145LW74.SB4.P267 and previousLW74.SB4.P268 and later
MX610 & MX611LW74.SB7.P267 and previousLW74.SB7.P268 and later
XM3150LW74.SB7.P267 and previousLW74.SB7.P268 and later
MX71x, MX81xLW74.TU.P267 and previousLW74.TU.P268 and later
XM51xx & XM71xxLW74.TU.P267 and previousLW74.TU.P268 and later
MX91x & XM91xLW74.MG.P267 and previousLW74.MG.P268 and later
MX6500eLW74.JD.P267 and previousLW74.JD.P268 and later
C746LHS60.CM2.P735 and previousLHS60.CM2.P736 and later
C748, CS748LHS60.CM4.P735 and previousLHS60.CM4.P736 and later
C792, CS796LHS60.HC.P735 and previousLHS60.HC.P736 and later
C925LHS60.HV.P735 and previousLHS60.HV.P736 and later
C950LHS60.TP.P735 and previousLHS60.TP.P736 and later
X548 & XS548LHS60.VK.P735 and previousLHS60.VK.P736 and later
X74x & XS748LHS60.NY.P735 and previousLHS60.NY.P736 and later

X792 & XS79x

LHS60.MR.P735 and previousLHS60.MR.P736 and later
X925 & XS925LHS60.HK.P735 and previousLHS60.HK.P736 and later
X95x & XS95xLHS60.TQ.P735 and previousLHS60.TQ.P736 and later
6500eLHS60.JR.P735 and previousLHS60.JR.P736 and later
C734LR.SK.P822 and previousLR.SK.P823 and later
C736LR.SKE.P822 and previousLR.SKE.P823 and later
E46xLR.LBH.P822 and previousLR.LBH.P823 and later
T65xLR.JP.P822 and previousLR.JP.P823 and later
X46xLR.BS.P822 and previousLR.BS.P823 and later
X65x LR.MN.P822 and previousLR.MN.P823 and later
X73xLR.FL.P822 and previousLR.FL.P823 and later
W850LP.JB.P821 and previousLP.JB.P822 and later
X86xLP.SP.P821 and previousLP.SP.P822 and later

Obtained Updated Software

To obtain firmware that resolves this issue or if you have special code, please contact Lexmark’s Technical Support Center at http://support.lexmark.com to find your local support center.

Workarounds

The XSS vulnerabilities may be mitigated by disabling the Embedded Web Server (EWS) in the affected devices.

Lexmark recommends a firmware update if your device has affected firmware.

Exploitation and Public Announcements

Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory.

Lexmark would like to thank Vidya Bhaskar Tripathi for bringing this to our attention.

Status of this Notice:

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts. Future updates to this document will be posted on Lexmark’s web site at the same location.

Revision History

RevisionDateReason
1.020 - February - 2020Initial Public Release

Top

LEGACY ID: TE935
Was this article helpful?


Related content

Top