Headline
CVE-2022-40184: Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000
Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.
Advisory Information
- Advisory ID: BOSCH-SA-454166-BT
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2022-40183
- Base Score: 5.8 (Medium)
- CVE-2022-40184
- Base Score: 5.1 (Medium)
- CVE-2022-40183
- Published: 19 Oct 2022
- Last Updated: 19 Oct 2022
Summary
The possibility for a reflected Cross Site Scripting (XSS) and stored Cross Site Scripting (XSS) attack was discovered in the Bosch VIDEOJET multi 4000.
For more details please see the description of the vulnerability in this advisory.
Bosch rates this vulnerability with CVSSv3.1 base score 5.8 (medium) and 5.1 (medium), where the final rating depends on the customer’s environment.
Customers are advised to follow listed mitigations until an update is available.
Affected Products
- Bosch VIDEOJET multi 4000 <= 6.31.0010
Solution and Mitigations****Secure Configuration Environment
It is advised to use a Bosch tool like the Configuration Manager to configure the encoder, that is not vulnerable to issues like XSS (Cross Site Scripting) or CSRF (Cross Site Request Forgery).
When using the web based configuration interface and currently being logged in as an administrator, some security precautions can be taken to mitigate XSS or CSRF vulnerabilities:
No other websites or email content should be opened as long as the session to the encoder is active.
No links should be clicked from an untrusted external source that link back to the encoder.
Use a different browser than the system default browser to open a session to the encoder as there is no XSS or CSRF between browsers.
Always log out and/or close the browser (not only the tab) to clear any session data.
Secure Administration
A stored XSS attack is only possible when an user with administrative rights is able to save malicious JavaScript code on the device. Only trusted users should have access to the administrative interface and common security rules for administrative credentials should be followed (e.g. using strong, unique passwords).
Vulnerability Details****CVE-2022-40183
CVE description: An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.
- Problem Type:
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
- Base Score: 5.8 (Medium)
CVE-2022-40184
CVE description: Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.
- Problem Type:
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
- Base Score: 5.1 (Medium)
Remarks****Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 19 Oct 2022: Initial Publication
Appendix****Affected Products****Bosch VIDEOJET multi 4000
Affected VIDEOJET multi 4000 firmware
Name of version to fix the vulnerability
6.31.0010 and earlier
VIDEOJET multi Download Area
Material Lists****VIDEOJET multi 4000
Family Name
CTN
SAP#
Material description
VIDEOJET multi 4000
VJM-4016
F.01U.298.670
VIDEOJET multi 4000
VIDEOJET multi 4000 EU
VJM-4016-EU
F.01U.296.122
VIDEOJET multi 4000 EU
VIDEOJET multi 4000 US
VJM-4016-US
F.01U.298.556
VIDEOJET multi 4000 US