Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Unauthenticated Driver Package Editing V-2024-008.
The application does not require authentication (CWE-306 — missing access control) for functions responsible for driver package management. An attacker can remotely modify driver packages distributed to print clients over the network without any credentials and without user interaction. The injected driver package may contain malicious code that will subsequently be installed on workstations downloading drivers from the server.
An attacker can substitute legitimate driver packages with malicious ones, leading to compromise of confidentiality, integrity, and availability of systems — including potential takeover of workstations downloading infected drivers.
Virtual Appliance Host must be updated to version 22.0.933 or later and Application to version 20.0.2368 or later. Detailed information is available in the vendor's security bulletin at the address indicated in the references.
Vasion Print (formerly PrinterLogic) in Virtual Appliance Host versions below 22.0.933 and Application versions below 20.0.2368
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPrinterlogic Vasion Print
APPPrinterlogic< 20.0.2368Printerlogic Virtual Appliance
APPPrinterlogic< 22.0.933
Related vulnerabilities
Zakodowany na stałe klucz AWS API w Vasion Print (PrinterLogic)
Hardcoded Password w Vasion Print (PrinterLogic) — dostęp bez uwierzytelnienia
Vasion Print / PrinterLogic — pominięcie uwierzytelnienia w API Single Sign-On
SQL Injection w Vasion Print (PrinterLogic) — zdalne przejęcie kontroli
Vasion Print / PrinterLogic — niebezpieczna instalacja rozszerzeń przez HTTP