Vulnerability Details : CVE-2022-42909
WEPA Print Away does not verify that a user has authorization to access documents before generating print orders and associated release codes. This could allow an attacker to generate print orders and release codes for documents they donĀ“t own and print hem without authorization. In order to exploit this vulnerability, the user must have an account with wepanow.com or any of the institutions they serve, and be logged in.
Published
2023-02-03 19:15:13
Updated
2023-02-10 17:34:15
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-42909
- cpe:2.3:a:wepanow:print_away:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-42909
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 20 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-42909
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
Spanish National Cybersecurity Institute, S.A. (INCIBE) | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
NIST |
CWE ids for CVE-2022-42909
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: cve-coordination@incibe.es (Secondary)
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-42909
-
https://enrique.wtf/CVE-2022-42909
Contact Me - Enrique BenvenuttoThird Party Advisory
-
https://www.incibe-cert.es/en/early-warning/security-advisories/multiple-vulnerabilities-wepa-print-away
Multiple vulnerabilities in WEPA Print Away | INCIBE-CERTThird Party Advisory
Jump to