CVE-2019-25356

The Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer's administrative configuration page (/en/conf_admin.html) is vulnerable to cross-site scripting (XSS). The vulnerability exists because the admin and person POST parameters are not sanitized before being reflected in the page, allowing an attacker to inject arbitrary HTML or JavaScript.

Exploitation

An attacker can send a crafted POST request to the affected page with malicious JavaScript payloads URL-encoded in the admin or person parameters. The provided exploit from [1] demonstrates injecting `` into these fields. No authentication is required to trigger the reflection; however, the injected script executes in the browser session of any authenticated administrator who views the configuration page.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated admin user's browser session. This can lead to session hijacking, defacement, or theft of sensitive printer configuration data. The CVSS v3 score of 6.1 (Medium) reflects the requirement for user interaction (admin viewing the page) and the potential for partial confidentiality and integrity impact.

Mitigation

No official patch from Bematech/Elgin has been identified as of the publication date. Users should consider restricting network access to the printer's web interface, using firewalls or VLAN segmentation, and avoiding access of the admin page until a firmware update is provided. The vendor's website [2] no longer appears to list this product, suggesting it may be end-of-life.