Vulnerability Description
Multiple cross-site request forgery (CSRF) vulnerabilities in the HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders allow remote attackers to hijack the intranet connectivity of arbitrary users for requests that (1) print documents via unknown vectors, (2) modify the network configuration via a NetIPChange request to hp/device/config_result_YesNo.html/config, or (3) change the password via the Password and ConfirmPassword parameters to hp/device/set_config_password.html/config.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hp | 8100C Digital Sender | - |
| Hp | 9100C Digital Sender | - |
| Hp | 9200C Digital Sender | - |
| Hp | 9250C Digital Sender | - |
| Hp | Color Laserjet | All versions |
| Hp | Color Laserjet 1500 | All versions |
| Hp | Color Laserjet 2500 | All versions |
| Hp | Color Laserjet 2500L | All versions |
| Hp | Color Laserjet 2500Lse | All versions |
| Hp | Color Laserjet 2500N | All versions |
| Hp | Color Laserjet 2500Tn | All versions |
| Hp | Color Laserjet 2605Dtn | All versions |
| Hp | Color Laserjet 4370Mfp | 20081211_46.211.2 |
| Hp | Color Laserjet 4600 | All versions |
| Hp | Color Laserjet 4600Dn | All versions |
| Hp | Color Laserjet 4600Dtn | All versions |
| Hp | Color Laserjet 4600Hdn | All versions |
| Hp | Color Laserjet 4650 | All versions |
| Hp | Color Laserjet 4700 | All versions |
| Hp | Color Laserjet 4730 Mfp | All versions |
Related Weaknesses (CWE)
References
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566Vendor Advisory
- http://osvdb.org/52847
- http://osvdb.org/52848
- http://osvdb.org/52849
- http://www.louhinetworks.fi/advisory/HP_20090317.txtExploit
- http://www.securityfocus.com/archive/1/501884/100/0/threaded
- http://www.securityfocus.com/bid/34143
- http://www.vupen.com/english/advisories/2009/0754
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566Vendor Advisory
- http://osvdb.org/52847
- http://osvdb.org/52848
- http://osvdb.org/52849
- http://www.louhinetworks.fi/advisory/HP_20090317.txtExploit
- http://www.securityfocus.com/archive/1/501884/100/0/threaded
- http://www.securityfocus.com/bid/34143
FAQ
What is CVE-2009-0940?
CVE-2009-0940 is a vulnerability with a CVSS score of 5.1 (MEDIUM). Multiple cross-site request forgery (CSRF) vulnerabilities in the HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders allow remote attackers to hijack the intr...
How severe is CVE-2009-0940?
CVE-2009-0940 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-0940?
Check the references section above for vendor advisories and patch information. Affected products include: Hp 8100C Digital Sender, Hp 9100C Digital Sender, Hp 9200C Digital Sender, Hp 9250C Digital Sender, Hp Color Laserjet.