CVE-2012-3272

EUVD-2012-3250

06.12.2012, 11:45

Cross-site scripting (XSS) vulnerability on the HP Color LaserJet CM3530 with firmware before 53.190.9, Color LaserJet CM60xx with firmware before 52.210.9, Color LaserJet CP3525 with firmware before 06.140.3 18, Color LaserJet CP4xxx with firmware before 07.120.6, Color LaserJet CP6015 with firmware before 04.160.3, LaserJet P3015 with firmware before 07.140.3, and LaserJet P4xxx with firmware before 04.170.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:N/I:P/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 69%

Affected Products (NVD)

Vendor	Product	Version
hp	color_laserjet_cm3530	𝑥 ≤ 53.190.8
hp	color_laserjet_cm60xx	𝑥 ≤ 53.190.8
hp	color_laserjet_cp3525	𝑥 ≤ 06.140.3.17
hp	color_laserjet_cp4xxx	𝑥 ≤ 07.120.5
hp	color_laserjet_cp6015	𝑥 ≤ 04.160.2
hp	laserjet_p3015	𝑥 ≤ 07.140.2
hp	laserjet_p4xxx	𝑥 ≤ 04.170.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://www.securitytracker.com/id?1027841

https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03556108

http://www.securitytracker.com/id?1027841

https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03556108