Headline

CVE-2023-26067

Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 1 of 4).

1 year ago

%PDF-1.7 %�� 1 0 obj <>/Metadata 604 0 R/ViewerPreferences 605 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��]mo�8� ��E��/"��nm��.�{�Xi�u�-�Ϳ��d+);�x�~��3á,N>�W�N>��#��S��͹��Q��/�J��.Sb��8>:y’�L��F��B[ᔋbx��ŉo��F��G_{�}ݻ��%��r>.�u_��}�{��l��W\��-`��H��x.D��WNGF6G@��+��’�+l /�"�dd̀l�$��A��^�7��b��l�1 {��2�RL(2N�XŘq�$�f?�F�vYK �2�n$m��~�[by7B��Z9�:�hckB��x`�J�(R��C��+̈́��qt-�I84Ǻȵ�?�Y^N��xz#V�m��E�5ZEI�G\j+uf4�P~��\@6�\g��L�̪e��H%w��"�֞}��3�%�̶��N#iZ�_��=�7Z�R�E?�;c�bX��Ljt�U�f��RPG��w�M��Gg��H0G\R1�9�/�M��΂x��I?�M��̇`].� lH��dK�̾/��)�W�� _�}�>��|�` cj2��,:){w��x��:��]��lWP3��H|��2\��/1*��U��*��k ��qA�4 ��W�R��!��OA�1��r ,�:@�p��|�TEV��KFY~#��#��Hi��LT�s�<�2qO�� ɯ�9��Q�L�(M��W��j�%JE:�MK2~�@ ��9��No� b�9_\}��i�F�Y��e��"фP��]8��M��X��0��`��u��sa��UM��d�� ǆB&{7;��Fx�.��t�$r{`?uË�e�I�EǶ`��IЉ/��Խ�B�YDg"�ˏ�gx�.O��Lb��54�Pȕ�}b�� %Pd�,FB|fKC�{!�U"�[�u �W%��="t=�:T�� t9��R.��K5��g�4�4}��RE�c��@��wp}ЮkL��\L,#,_��’�ޅ��q�y$`�� Й��-bq��P|��,��3�(�Ѹ�y!��H^z�$��ٌm��IXŷ�j��QRb��ο��~ݭO��

An unauthenticated remote code execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If no Admin user is created, the endpoint /cgi-bin/fax_change_faxtrace_settings is accessible without authentication. The endpoint allows the user to configure a number of different fax settings. A number of the configurable parameters on the page fail to be sanitized properly before being used in a bash eval statement, allowing for an unauthenticated user to run arbitrary commands.

1 year ago

Packet Storm

Open in Source

#vulnerability #web #git #rce #perl #xpath #pdf #auth