CVE-2019-25324

Vulnerability

Overview

RICOH Web Image Monitor 1.09 contains an HTML injection vulnerability in the address configuration CGI script (/web/entry/en/address/adrsSetUserWizard.cgi). The entryNameIn and entryDisplayNameIn parameters are not properly sanitized, allowing attackers to inject arbitrary HTML code [1][3][4]. This flaw is classified under CWE-79 (Cross-site Scripting) [3].

ExploitationAn attacker with network access to the device can craft a malicious request to the vulnerable CGI script, injecting HTML payloads into the entryNameIn or entryDisplayNameIn parameters. The injected content is then rendered in the Web Image Monitor interface when the page is viewed by an authenticated user. No special privileges beyond network access are required to inject the payload, but the attack relies on a user (e.g., an administrator) visiting the address book page) to trigger the execution [3][4].

ImpactSuccessful exploitation allows an attacker to inject malicious HTML or JavaScript into the Web Image Monitor interface. This can lead to cross-site scripting (XSS) attacks, potentially enabling session hijacking, credential theft, or defacement of the device management page. The CVSS v3 score is 6.1 (Medium), reflecting the need for user interaction and low privileges [3].

MitigationAs of the publication, RICOH has not released a specific patch for this vulnerability. Users should restrict network access to the Web Image Monitor interface, apply the principle of least privilege, and monitor for any vendor updates. The exploit is publicly available on Exploit-DB [4], increasing the risk of active exploitation.