CVE-2021-20877

08.02.2022, 11:15

Cross-site scripting vulnerability in Canon laser printers and small office multifunctional printers (LBP162L/LBP162, MF4890dw, MF269dw/MF265dw/MF264dw/MF262dw, MF249dw/MF245dw/MF244dw/MF242dw/MF232w, and MF229dw/MF224dw/MF222dw sold in Japan, imageCLASS MF Series (MF113W/MF212W/MF217W/MF227DW/MF229DW, MF232W/MF244DW/MF247DW/MF249DW, MF264DW/MF267DW/MF269DW/MF269DW VP, and MF4570DN/MF4570DW/MF4770N/MF4880DW/MF4890DW) and imageCLASS LBP Series (LBP113W/LBP151DW/LBP162DW ) sold in the US, and iSENSYS (LBP162DW, LBP113W, LBP151DW, MF269dw, MF267dw, MF264dw, MF113w, MF249dw, MF247dw, MF244dw, MF237w, MF232w, MF229dw, MF217w, MF212w, MF4780w, and MF4890dw) and imageRUNNER (2206IF, 2204N, and 2204F) sold in Europe) allows remote attackers to inject an arbitrary script via unspecified vectors.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
jpcert	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 51%

Vendor	Product	Version
canon	2204f	-
canon	2204n	-
canon	2206if	-
canon	lbp113w	-
canon	lbp151dw	-
canon	lbp162	-
canon	lbp162dw	-
canon	lbp162l	-
canon	mf113w	-
canon	mf212w	-
canon	mf217w	-
canon	mf222dw	-
canon	mf224dw	-
canon	mf227dw	-
canon	mf229dw	-
canon	mf232w	-
canon	mf237w	-
canon	mf242dw	-
canon	mf244dw	-
canon	mf245dw	-
canon	mf247dw	-
canon	mf249dw	-
canon	mf262dw	-
canon	mf264dw	-
canon	mf265dw	-
canon	mf267dw	-
canon	mf269dw	-
canon	mf269dw_vp	-
canon	mf4570dn	-
canon	mf4570dw	-
canon	mf4770n	-
canon	mf4780w	-
canon	mf4880dw	-
canon	mf4890dw	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://cweb.canon.jp/e-support/info/211221xss.html

https://jvn.jp/en/jp/JVN64806328/index.html

https://jvn.jp/jp/JVN64806328/index.html

https://www.canon-europe.com/support/product-security-latest-news/

https://www.usa.canon.com/internet/portal/us/home/support/product-advisories/detail/Service-Notice-Canon-Laser-Printer-and-Small-Office-Multifunctional-Printer-related-to-cross-site-scripting

https://cweb.canon.jp/e-support/info/211221xss.html

https://jvn.jp/en/jp/JVN64806328/index.html

https://jvn.jp/jp/JVN64806328/index.html

https://www.canon-europe.com/support/product-security-latest-news/

https://www.usa.canon.com/internet/portal/us/home/support/product-advisories/detail/Service-Notice-Canon-Laser-Printer-and-Small-Office-Multifunctional-Printer-related-to-cross-site-scripting