Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Insecure Extension Installation by Trusting HTTP Permission Methods on the Server Side V-2024-005.
The application improperly verifies permissions during extension installation, trusting HTTP methods submitted by the client without proper server-side validation (CWE-863 — Improper Authorization). An attacker can remotely, without authentication and user interaction, send an HTTP request causing a malicious extension to be installed. The server accepts such a request, treating it as authorized based solely on the HTTP method.
An attacker can install a malicious extension on the print server, potentially leading to complete system takeover, loss of data confidentiality, breach of integrity, and disruption of printing service availability.
Update Virtual Appliance Host to version 22.0.933 or later and Application to version 20.0.2368 or later. Detailed information is available in the vendor's security bulletin at help.printerlogic.com.
Vasion Print (formerly PrinterLogic) — Virtual Appliance Host in versions prior to 22.0.933 and Application in versions prior to 20.0.2368
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPrinterlogic Vasion Print
APPPrinterlogic< 20.0.2368Printerlogic Virtual Appliance
APPPrinterlogic< 22.0.933
Related vulnerabilities
Vasion Print / PrinterLogic — nieautoryzowana edycja pakietów sterowników
Hardcoded Password w Vasion Print (PrinterLogic) — dostęp bez uwierzytelnienia
Vasion Print / PrinterLogic — pominięcie uwierzytelnienia w API Single Sign-On
SQL Injection w Vasion Print (PrinterLogic) — zdalne przejęcie kontroli
Zakodowany na stałe klucz AWS API w Vasion Print (PrinterLogic)