CVE-2018-15530: XEROX COLORQUBE, XSS IN WEB INTERFACE

Our Team of security researchers has identified an XSS injection in the web interface of the Xerox ColorQube 8580. Most likely other Printers are affected too.

This Vulnerability can be exploited by printing a document with a specially crafted filename (PostScript filename in metadata) on the printer, either via USB or via network and can therefore be exploited remotely. The consequences of this vulnerability range from session hijacking to defacing of the job accounting overview. This vulnerability does need user interaction and can only be exploited if the victim accesses "/UE/jobaccountingbrowse.html".

Proof of Concept

The Proof of Concept can be downloaded here and can simply be printed on the printer.

Affected

ColorQube 8580/8880: before PS 4.23.0 / Net 44.48.09.14.2018
ColorQube 8570/8870: before PS 5.1.0 / Net 43.96.09.21.2018

Updates

09.08.2018: Vulnerability disclosed to Xerox.
13.08.2018: Start of internal investigation by Xerox
17.08.2018: Set public release date to 15.10.2018
19.08.2018: CVE Assigned: CVE-2018-15530
09.10.2018: Release of security bulletin by Xerox. 1, 2