Cross-site scripting in Canon laser printers and small office multifunctional printers

Published: 2022-01-19

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2021-20877
CWE-ID	CWE-79
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	MF113W Hardware solutions / Other hardware appliances MF212W Hardware solutions / Other hardware appliances MF217W Hardware solutions / Other hardware appliances MF227DW Hardware solutions / Other hardware appliances MF229DW Hardware solutions / Other hardware appliances MF232W Hardware solutions / Other hardware appliances MF244DW Hardware solutions / Other hardware appliances MF247DW Hardware solutions / Other hardware appliances MF249DW Hardware solutions / Other hardware appliances MF264DW Hardware solutions / Other hardware appliances MF267DW Hardware solutions / Other hardware appliances MF269DW Hardware solutions / Other hardware appliances MF269DW VP Hardware solutions / Other hardware appliances MF4570DN Hardware solutions / Other hardware appliances MF4570DW Hardware solutions / Other hardware appliances MF4770N Hardware solutions / Other hardware appliances MF4880DW Hardware solutions / Other hardware appliances MF4890DW Hardware solutions / Other hardware appliances LBP113W Hardware solutions / Other hardware appliances LBP151DW Hardware solutions / Other hardware appliances LBP162DW Hardware solutions / Other hardware appliances iSENSYS LBP113W Hardware solutions / Other hardware appliances iSENSYS LBP151DW Hardware solutions / Other hardware appliances iSENSYS MF269dw Hardware solutions / Other hardware appliances iSENSYS MF267dw Hardware solutions / Other hardware appliances iSENSYS MF264dw Hardware solutions / Other hardware appliances iSENSYS MF113w Hardware solutions / Other hardware appliances iSENSYS MF249dw Hardware solutions / Other hardware appliances iSENSYS MF247dw Hardware solutions / Other hardware appliances iSENSYS MF244dw Hardware solutions / Other hardware appliances iSENSYS MF237w Hardware solutions / Other hardware appliances iSENSYS MF232w Hardware solutions / Other hardware appliances iSENSYS MF229dw Hardware solutions / Other hardware appliances iSENSYS MF217w Hardware solutions / Other hardware appliances iSENSYS MF212w Hardware solutions / Other hardware appliances iSENSYS MF4780w Hardware solutions / Other hardware appliances iSENSYS MF4890dw Hardware solutions / Other hardware appliances imageRUNNER 2206IF Hardware solutions / Other hardware appliances imageRUNNER 2204N Hardware solutions / Other hardware appliances imageRUNNER 2204F Hardware solutions / Other hardware appliances
Vendor	Canon Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cross-site scripting

EUVDB-ID: #VU59822

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-20877

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

MF113W: All versions

MF212W: All versions

MF217W: All versions

MF227DW: All versions

MF229DW: All versions

MF232W: All versions

MF244DW: All versions

MF247DW: All versions

MF249DW: All versions

MF264DW: All versions

MF267DW: All versions

MF269DW: All versions

MF269DW VP: All versions

MF4570DN: All versions

MF4570DW: All versions

MF4770N: All versions

MF4880DW: All versions

MF4890DW: All versions

LBP113W: All versions

LBP151DW: All versions

LBP162DW: All versions

iSENSYS LBP113W: All versions

iSENSYS LBP151DW: All versions

iSENSYS MF269dw: All versions

iSENSYS MF267dw: All versions

iSENSYS MF264dw: All versions

iSENSYS MF113w: All versions

iSENSYS MF249dw: All versions

iSENSYS MF247dw: All versions

iSENSYS MF244dw: All versions

iSENSYS MF237w: All versions

iSENSYS MF232w: All versions

iSENSYS MF229dw: All versions

iSENSYS MF217w: All versions

iSENSYS MF212w: All versions

iSENSYS MF4780w: All versions

iSENSYS MF4890dw: All versions

imageRUNNER 2206IF: All versions

imageRUNNER 2204N: All versions

imageRUNNER 2204F: All versions

CPE2.3

External links

https://jvn.jp/en/jp/JVN64806328/index.html
https://www.usa.canon.com/internet/portal/us/home/support/product-advisories/detail/Service-Notice-Canon-Laser-Printer-and-Small-Office-Multifunctional-Printer-related-to-cross-site-scripting
https://www.canon-europe.com/support/product-security-latest-news/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.