CVE-2009-0940

high

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Printers, and Digital Senders allow remote attackers to hijack the intranet connectivity of arbitrary users for requests that (1) print documents via unknown vectors, (2) modify the network configuration via a NetIPChange request to hp/device/config_result_YesNo.html/config, or (3) change the password via the Password and ConfirmPassword parameters to hp/device/set_config_password.html/config.

References

http://www.vupen.com/english/advisories/2009/0754

http://www.securityfocus.com/bid/34143

http://www.securityfocus.com/archive/1/501884/100/0/threaded

http://osvdb.org/52849

http://osvdb.org/52848

http://osvdb.org/52847

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01684566

Details

Source: Mitre, NVD

Published: 2009-03-18

Updated: 2026-04-23

Risk Information

CVSS v2

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00837