4.3
MEDIUM
CVE-2009-2684
"HP Jetdirect and EWS Printers Cross-Site Scripting Vulnerability"
Description

Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an Apply action to the support_param.html/config script.

INFO

Published Date :

Oct. 13, 2009, 10:30 a.m.

Last Modified :

Oct. 10, 2018, 7:41 p.m.

Remotely Exploitable :

Yes !

Impact Score :

2.9

Exploitability Score :

8.6
Affected Products

The following products are affected by CVE-2009-2684 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Hp laserjet_2410
2 Hp laserjet_2420
3 Hp color_laserjet_4730_mfp
4 Hp laserjet_4240
5 Hp laserjet_4345_mfp
6 Hp laserjet_9050_mfp
7 Hp laserjet_m3027_mfp
8 Hp laserjet_m3035_mfp
9 Hp laserjet_m5025_mfp
10 Hp laserjet_p4014
11 Hp color_laserjet_cp6015
12 Hp color_laserjet_cp3505
13 Hp laserjet_5200n
14 Hp laserjet_9040_mfp
15 Hp laserjet_m9040_mpf
16 Hp laserjet_m9050_mpf
17 Hp laserjet_p4515
18 Hp cm8050_mfp
19 Hp cm8060_mfp
20 Hp color_laserjet_3000n
21 Hp color_laserjet_3600n
22 Hp color_laserjet_3800n
23 Hp color_laserjet_4700n
24 Hp color_laserjet_6040_mfp
25 Hp color_laserjet_cm4730_mfp
26 Hp color_laserjet_cp4005n
27 Hp ds_9200c
28 Hp ds_9250c
29 Hp laserjet_2430n
30 Hp laserjet_4250n
31 Hp laserjet_4350n
32 Hp laserjet_9040n
33 Hp laserjet_9050n
34 Hp laserjet_m4345x_mfp
35 Hp laserjet_p3005n
References to Advisories, Solutions, and Tools

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2009-2684 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2009-2684 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Oct. 10, 2018

    Action Type Old Value New Value
    Removed Reference http://www.securityfocus.com/archive/1/archive/1/507038/100/0/threaded [Exploit]
    Added Reference http://www.securityfocus.com/archive/1/507038/100/0/threaded [No Types Assigned]
  • CVE Modified by [email protected]

    Aug. 17, 2017

    Action Type Old Value New Value
    Removed Reference http://xforce.iss.net/xforce/xfdb/53677 [No Types Assigned]
    Added Reference https://exchange.xforce.ibmcloud.com/vulnerabilities/53677 [No Types Assigned]
  • Initial Analysis by [email protected]

    Oct. 13, 2009

    Action Type Old Value New Value
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2009-2684 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2009-2684 weaknesses.

Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

0.47 }} -0.06%

score

0.72913

percentile

CVSS2 - Vulnerability Scoring System
Access Vector
Access Complexity
Authentication
Confidentiality
Integrity
Availability