Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-40184: Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000

Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.

CVE
#xss#csrf#vulnerability#web#java#php#sap

Advisory Information

  • Advisory ID: BOSCH-SA-454166-BT
  • CVE Numbers and CVSS v3.1 Scores:
    • CVE-2022-40183
      • Base Score: 5.8 (Medium)
    • CVE-2022-40184
      • Base Score: 5.1 (Medium)
  • Published: 19 Oct 2022
  • Last Updated: 19 Oct 2022

Summary

The possibility for a reflected Cross Site Scripting (XSS) and stored Cross Site Scripting (XSS) attack was discovered in the Bosch VIDEOJET multi 4000.

For more details please see the description of the vulnerability in this advisory.

Bosch rates this vulnerability with CVSSv3.1 base score 5.8 (medium) and 5.1 (medium), where the final rating depends on the customer’s environment.

Customers are advised to follow listed mitigations until an update is available.

Affected Products

  • Bosch VIDEOJET multi 4000 <= 6.31.0010

Solution and Mitigations****Secure Configuration Environment

It is advised to use a Bosch tool like the Configuration Manager to configure the encoder, that is not vulnerable to issues like XSS (Cross Site Scripting) or CSRF (Cross Site Request Forgery).

When using the web based configuration interface and currently being logged in as an administrator, some security precautions can be taken to mitigate XSS or CSRF vulnerabilities:

  • No other websites or email content should be opened as long as the session to the encoder is active.

  • No links should be clicked from an untrusted external source that link back to the encoder.

  • Use a different browser than the system default browser to open a session to the encoder as there is no XSS or CSRF between browsers.

  • Always log out and/or close the browser (not only the tab) to clear any session data.

Secure Administration

A stored XSS attack is only possible when an user with administrative rights is able to save malicious JavaScript code on the device. Only trusted users should have access to the administrative interface and common security rules for administrative credentials should be followed (e.g. using strong, unique passwords).

Vulnerability Details****CVE-2022-40183

CVE description: An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.

  • Problem Type:
    • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
    • Base Score: 5.8 (Medium)

CVE-2022-40184

CVE description: Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.

  • Problem Type:
    • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
    • Base Score: 5.1 (Medium)

Remarks****Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

  • [1] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 19 Oct 2022: Initial Publication

Appendix****Affected Products****Bosch VIDEOJET multi 4000

Affected VIDEOJET multi 4000 firmware

Name of version to fix the vulnerability

6.31.0010 and earlier

VIDEOJET multi Download Area

Material Lists****VIDEOJET multi 4000

Family Name

CTN

SAP#

Material description

VIDEOJET multi 4000

VJM-4016

F.01U.298.670

VIDEOJET multi 4000

VIDEOJET multi 4000 EU

VJM-4016-EU

F.01U.296.122

VIDEOJET multi 4000 EU

VIDEOJET multi 4000 US

VJM-4016-US

F.01U.298.556

VIDEOJET multi 4000 US

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda