CVE-2022-44261

Vulnerability

The Avery Dennison Monarch M9855 label printer contains a stored cross-site scripting vulnerability in the parameter TFORM1 processed by the /SetupWizard-z.pkg page. An attacker with administrative access to the web management interface can inject malicious scripts into the printer's configuration. The exact firmware version affected is not specified in the available references [1], but the vulnerability was reported in 2022 and affects the web-based administration panel of the Monarch M9855.

Exploitation

Exploitation requires administrative access to the printer's web interface. The attacker navigates to the setup-wizard page and injects a JavaScript payload into the TFORM1 input field. Once the payload is saved, any subsequent visit to the affected page (or another page rendering the field) will execute the injected script in the context of the user's browser session [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of administrative credentials, or redirection to malicious sites. The attack can target the printer's operator or administrator, potentially compromising the device management and label data carried in the web interface [1], [2].

Mitigation

No official patch or firmware update has been announced in the available references [1], [2]. As a workaround, it is recommended to restrict network access to the printer's web interface to trusted administrators only, use strong administrative credentials, and monitor access logs. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.