Our Team of security researchers has identified an XSS injection in the web interface of the Xerox ColorQube 8580. Most likely other Printers are affected too.
This Vulnerability can be exploited by printing a document with a specially crafted filename (PostScript filename in metadata) on the printer, either via USB or via network and can therefore be exploited remotely. The consequences of this vulnerability range from session hijacking to defacing of the job accounting overview. This vulnerability does need user interaction and can only be exploited if the victim accesses “/UE/jobaccountingbrowse.html”.
The Proof of Concept
can be downloaded here and can simply be printed on the printer.
09.08.2018: Vulnerability disclosed to Xerox.
13.08.2018: Start of internal investigation by Xerox
17.08.2018: Set public release date to 15.10.2018
19.08.2018: CVE Assigned: CVE-2018-15530
09.10.2018: Release of security bulletin by Xerox. 1, 2