Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-2156
Vulnerability from csaf_certbund - Published: 2025-09-29 22:00 - Updated: 2025-09-30 22:00Summary
Vasion Print (Virtual Appliance Host und Application): Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Vasion Print (ehemals PrintLogic) ist eine Softwarelösung, die das Druckmanagement und die Dokumentenautomatisierung in Unternehmen ermöglicht.
Angriff
Ein entfernter anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Vasion Print ausnutzen, um serverseitige Request-Forgery-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen, beliebigen Code mit SYSTEM-Rechten auszuführen oder erweiterte Rechte zu erlangen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Vasion Print (ehemals PrintLogic) ist eine Softwarel\u00f6sung, die das Druckmanagement und die Dokumentenautomatisierung in Unternehmen erm\u00f6glicht.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Vasion Print ausnutzen, um serverseitige Request-Forgery-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen offenzulegen, beliebigen Code mit SYSTEM-Rechten auszuf\u00fchren oder erweiterte Rechte zu erlangen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2156 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2156.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2156 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2156"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-09-29",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34228"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-09-29",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34229"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-09-29",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34230"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2025-09-29",
"url": "https://github.com/advisories/GHSA-xj3j-28fv-mq6v"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-09-29",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34231"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-09-29",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34232"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2025-09-29",
"url": "https://github.com/advisories/GHSA-h4fj-xhpc-c3pm"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-09-29",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34233"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2025-09-29",
"url": "https://github.com/advisories/GHSA-m26j-rmr8-5cv6"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-09-29",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34234"
},
{
"category": "external",
"summary": "NIST Vulnerability Database vom 2025-09-29",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34235"
}
],
"source_lang": "en-US",
"title": "Vasion Print (Virtual Appliance Host und Application): Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-09-30T22:00:00.000+00:00",
"generator": {
"date": "2025-10-01T06:46:50.824+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2156",
"initial_release_date": "2025-09-29T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-09-29T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-09-30T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-31642, EUVD-2025-31644, EUVD-2025-31632, EUVD-2025-31623"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Virtual Appliance Host \u003c25.1.102",
"product": {
"name": "Vasion Print Virtual Appliance Host \u003c25.1.102",
"product_id": "T047264"
}
},
{
"category": "product_version",
"name": "Virtual Appliance Host 25.1.102",
"product": {
"name": "Vasion Print Virtual Appliance Host 25.1.102",
"product_id": "T047264-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vasion:print:virtual_appliance_host__25.1.102"
}
}
},
{
"category": "product_version_range",
"name": "Application (VA/SaaS) \u003c25.1.1413",
"product": {
"name": "Vasion Print Application (VA/SaaS) \u003c25.1.1413",
"product_id": "T047265"
}
},
{
"category": "product_version",
"name": "Application (VA/SaaS) 25.1.1413",
"product": {
"name": "Vasion Print Application (VA/SaaS) 25.1.1413",
"product_id": "T047265-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vasion:print:application_%2528vasaas%2529__25.1.1413"
}
}
},
{
"category": "product_version_range",
"name": "Application (Windows client) \u003c25.1.1413",
"product": {
"name": "Vasion Print Application (Windows client) \u003c25.1.1413",
"product_id": "T047271"
}
},
{
"category": "product_version",
"name": "Application (Windows client) 25.1.1413",
"product": {
"name": "Vasion Print Application (Windows client) 25.1.1413",
"product_id": "T047271-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vasion:print:application_%2528windows_client%2529__25.1.1413"
}
}
}
],
"category": "product_name",
"name": "Print"
}
],
"category": "vendor",
"name": "Vasion"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-3422",
"product_status": {
"known_affected": [
"T047265",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-3422"
},
{
"cve": "CVE-2025-34228",
"product_status": {
"known_affected": [
"T047265",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-34228"
},
{
"cve": "CVE-2025-34229",
"product_status": {
"known_affected": [
"T047265",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-34229"
},
{
"cve": "CVE-2025-34230",
"product_status": {
"known_affected": [
"T047265",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-34230"
},
{
"cve": "CVE-2025-34231",
"product_status": {
"known_affected": [
"T047265",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-34231"
},
{
"cve": "CVE-2025-34232",
"product_status": {
"known_affected": [
"T047265",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-34232"
},
{
"cve": "CVE-2025-34233",
"product_status": {
"known_affected": [
"T047265",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-34233"
},
{
"cve": "CVE-2025-34234",
"product_status": {
"known_affected": [
"T047265",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-34234"
},
{
"cve": "CVE-2025-34235",
"product_status": {
"known_affected": [
"T047271",
"T047264"
]
},
"release_date": "2025-09-29T22:00:00.000+00:00",
"title": "CVE-2025-34235"
}
]
}
CVE-2025-3422 (GCVE-0-2025-3422)
Vulnerability from cvelistv5 – Published: 2025-04-11 12:42 – Updated: 2025-04-11 13:17
VLAI?
EPSS
Title
Everest Forms <= 3.1.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Summary
The The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Severity ?
5.4 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpeverest | Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress |
Affected:
* , ≤ 3.1.1
(semver)
|
Credits
Michael Mazzolini
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T13:17:35.006134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T13:17:46.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Everest Forms \u2013 Contact Form, Quiz, Survey, Newsletter \u0026 Payment Form Builder for WordPress",
"vendor": "wpeverest",
"versions": [
{
"lessThanOrEqual": "3.1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The Everest Forms \u2013 Contact Form, Quiz, Survey, Newsletter \u0026 Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T12:42:24.394Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3db1d9a0-ea68-4979-a36d-864c649f7aca?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3268742/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-10T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Everest Forms \u003c= 3.1.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3422",
"datePublished": "2025-04-11T12:42:24.394Z",
"dateReserved": "2025-04-07T14:57:54.833Z",
"dateUpdated": "2025-04-11T13:17:46.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34233 (GCVE-0-2025-34233)
Vulnerability from cvelistv5 – Published: 2025-09-29 20:38 – Updated: 2025-11-17 23:56
VLAI?
EPSS
Title
Vasion Print (formerly PrinterLogic) Insecure Use of file_get_contents()
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a protection mechanism failure vulnerability within the file_get_contents() function. When an administrator configures a printer’s hostname (or similar callback field), the value is passed unchecked to PHP’s file_get_contents()/cURL functions, which follow redirects and impose no allow‑list, scheme, or IP‑range restrictions. An admin‑level attacker can therefore point the hostname to a malicious web server that issues a 301 redirect to internal endpoints such as the AWS EC2 metadata service. The server follows the redirect, retrieves the metadata, and returns or stores the credentials, enabling the attacker to steal cloud IAM keys, enumerate internal services, and pivot further into the SaaS infrastructure. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Severity ?
CWE
- CWE‑693 Protection Mechanism Failure
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Affected:
* , < 25.1.102
(semver)
|
|||||||
|
|||||||||
Credits
Pierre Barre
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34233",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:33:17.330504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:42:13.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"file_get_contents()"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"file_get_contents()"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a protection mechanism failure vulnerability within the file_get_contents() function.\u0026nbsp;When an administrator configures a printer\u2019s hostname (or similar callback field), the value is passed unchecked to PHP\u2019s file_get_contents()/cURL functions, which follow redirects and impose no allow\u2011list, scheme, or IP\u2011range restrictions. An admin\u2011level attacker can therefore point the hostname to a malicious web server that issues a 301 redirect to internal endpoints such as the AWS EC2 metadata service.\u0026nbsp;The server follows the redirect, retrieves the metadata, and returns or stores the credentials, enabling the attacker to steal cloud IAM keys, enumerate internal services, and pivot further into the SaaS infrastructure. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a protection mechanism failure vulnerability within the file_get_contents() function.\u00a0When an administrator configures a printer\u2019s hostname (or similar callback field), the value is passed unchecked to PHP\u2019s file_get_contents()/cURL functions, which follow redirects and impose no allow\u2011list, scheme, or IP\u2011range restrictions. An admin\u2011level attacker can therefore point the hostname to a malicious web server that issues a 301 redirect to internal endpoints such as the AWS EC2 metadata service.\u00a0The server follows the redirect, retrieves the metadata, and returns or stores the credentials, enabling the attacker to steal cloud IAM keys, enumerate internal services, and pivot further into the SaaS infrastructure. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011693 Protection Mechanism Failure",
"lang": "en"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.811Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-use-file_get_contents"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-use-of-file-get-contents-function"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Insecure Use of file_get_contents()",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34233",
"datePublished": "2025-09-29T20:38:49.403Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:37.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34230 (GCVE-0-2025-34230)
Vulnerability from cvelistv5 – Published: 2025-09-29 20:40 – Updated: 2025-11-17 23:56
VLAI?
EPSS
Title
Vasion Print (formerly PrinterLogic) Blind SSRF via HP log_off_single_sign_on.php
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/log_off_single_sign_on.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer’s host name in the variable $printer_vo->str_host_address. The code later builds a URL like 'http://<host‑address>:80/DevMgmt/DiscoveryTree.xml' and sends the request with curl. No validation, whitelist, or private‑network filtering is performed before the request is made. Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Affected:
* , < 25.1.102
(semver)
|
|||||||
|
|||||||||
Credits
Pierre Barre
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34230",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T15:21:27.562487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T15:21:42.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-06"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/log_off_single_sign_on.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/log_off_single_sign_on.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/var/www/app/console_release/hp/log_off_single_sign_on.php\u003c/span\u003e\u003c/span\u003e script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u0026gt;str_host_address. The code later builds a URL like \u0027http://\u0026lt;host\u2011address\u0026gt;:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u0026nbsp;Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/log_off_single_sign_on.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u003estr_host_address. The code later builds a URL like \u0027http://\u003chost\u2011address\u003e:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u00a0Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.313Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-06"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-hp-log-off-single-sign-on-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Blind SSRF via HP log_off_single_sign_on.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34230",
"datePublished": "2025-09-29T20:40:39.074Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:37.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34234 (GCVE-0-2025-34234)
Vulnerability from cvelistv5 – Published: 2025-09-29 20:34 – Updated: 2025-11-17 23:56
VLAI?
EPSS
Title
Vasion Print (formerly PrinterLogic) Hardcoded Encryption Private Keys
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES‑256‑CBC encryption/decryption of the “SaaS Id” (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Severity ?
CWE
- CWE-321 - Use of Hard‑coded Cryptographic Key
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Affected:
* , < 25.1.102
(semver)
|
|||||||
|
|||||||||
Credits
Pierre Barre
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34234",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:34:06.710551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:43:18.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-key"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"printerlogic/pi",
"printerlogic/printer-admin-api",
"printercloud/pi",
"/var/www/app/config/",
"keyfile.ppk.dev",
"keyfile.saasid.ppk.dev"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"printerlogic/pi",
"printerlogic/printer-admin-api",
"printercloud/pi",
"/var/www/app/config/",
"keyfile.ppk.dev",
"keyfile.saasid.ppk.dev"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES\u2011256\u2011CBC encryption/decryption of the \u201cSaaS Id\u201d (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBecause the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key.\u0026nbsp;\u003c/span\u003eThis vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES\u2011256\u2011CBC encryption/decryption of the \u201cSaaS Id\u201d (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard\u2011coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.989Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-key"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-hardcoded-encryption-private-keys"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Hardcoded Encryption Private Keys",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34234",
"datePublished": "2025-09-29T20:34:45.051Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:37.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34235 (GCVE-0-2025-34235)
Vulnerability from cvelistv5 – Published: 2025-09-29 20:44 – Updated: 2025-11-17 23:56
VLAI?
EPSS
Title
Vasion Print (formerly PrinterLogic) Weak SSL/TLS Certificate Validation RCE
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (Windows client deployments) contain a registry key that can be enabled by administrators, causing the client to skip SSL/TLS certificate validation. An attacker who can intercept HTTPS traffic can then inject malicious driver DLLs, resulting in remote code execution with SYSTEM privileges; a local attacker can achieve local privilege escalation via a junction‑point DLL injection. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Severity ?
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Affected:
* , < 25.1.102
(semver)
|
|||||||
|
|||||||||
Credits
Pierre Barre
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34235",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T15:04:44.186500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T15:04:58.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#win-lpe-04"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"HKLM\\SOFTWARE\\PrinterLogic\\PrinterInstaller\\Overrides\\IgnoreCertificateFailures"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"HKLM\\SOFTWARE\\PrinterLogic\\PrinterInstaller\\Overrides\\IgnoreCertificateFailures"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (Windows client deployments) contain a registry key that can be enabled by administrators, causing the client to skip SSL/TLS certificate validation. An attacker who can intercept HTTPS traffic can then inject malicious driver DLLs, resulting in remote code execution with SYSTEM privileges; a local attacker can achieve local privilege escalation via a junction\u2011point DLL injection.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003eThis vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (Windows client deployments) contain a registry key that can be enabled by administrators, causing the client to skip SSL/TLS certificate validation. An attacker who can intercept HTTPS traffic can then inject malicious driver DLLs, resulting in remote code execution with SYSTEM privileges; a local attacker can achieve local privilege escalation via a junction\u2011point DLL injection.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-217",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-217 Exploiting Incorrectly Configured SSL/TLS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:38.182Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#win-lpe-04"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-weak-ssl-tls-certificate-validation-rce"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Weak SSL/TLS Certificate Validation RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34235",
"datePublished": "2025-09-29T20:44:01.002Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:38.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34228 (GCVE-0-2025-34228)
Vulnerability from cvelistv5 – Published: 2025-09-29 20:41 – Updated: 2025-11-17 23:56
VLAI?
EPSS
Title
Vasion Print (formerly PrinterLogic) SSRF via Lexmark update.php
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_release/lexmark/update.php` script is reachable from the internet without any authentication. The PHP script builds URLs from user‑controlled values and then invokes either 'curl_exec()` or `file_get_contents()` without proper validation. Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Affected:
* , < 25.1.102
(semver)
|
|||||||
|
|||||||||
Credits
Pierre Barre
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34228",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T15:18:15.469709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T15:19:07.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-04"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/lexmark/update.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/lexmark/update.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u0026nbsp;and Application prior to version 25.1.1413\u0026nbsp;(VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_release/lexmark/update.php` script is reachable from the internet without any authentication. The PHP script builds URLs from user\u2011controlled values and then invokes either \u0027curl_exec()` or `file_get_contents()` without proper validation.\u0026nbsp;Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_release/lexmark/update.php` script is reachable from the internet without any authentication. The PHP script builds URLs from user\u2011controlled values and then invokes either \u0027curl_exec()` or `file_get_contents()` without proper validation.\u00a0Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:36.926Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-04"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-lexmark-update-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) SSRF via Lexmark update.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34228",
"datePublished": "2025-09-29T20:41:29.156Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:36.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34229 (GCVE-0-2025-34229)
Vulnerability from cvelistv5 – Published: 2025-09-29 20:41 – Updated: 2025-11-17 23:56
VLAI?
EPSS
Title
Vasion Print (formerly PrinterLogic) Blind SSRF via HP installApp.php
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/installApp.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer’s host name in the variable $printer_vo->str_host_address. The code later builds a URL like 'http://<host‑address>:80/DevMgmt/DiscoveryTree.xml' and sends the request with curl. No validation, whitelist, or private‑network filtering is performed before the request is made. Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Affected:
* , < 25.1.102
(semver)
|
|||||||
|
|||||||||
Credits
Pierre Barre
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34229",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T15:20:26.023204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T15:21:11.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-05"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/installApp.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/installApp.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u0026nbsp;and Application prior to version 25.1.1413\u0026nbsp;(VA/SaaS deployments) contain a\u0026nbsp;blind server-side request forgery (SSRF) vulnerability reachable via the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/var/www/app/console_release/hp/installApp.php\u003c/span\u003e script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u0026gt;str_host_address. The code later builds a URL like \u0027http://\u0026lt;host\u2011address\u0026gt;:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u0026nbsp;Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a\u00a0blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/installApp.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u003estr_host_address. The code later builds a URL like \u0027http://\u003chost\u2011address\u003e:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u00a0Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.130Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-05"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-hp-update-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Blind SSRF via HP installApp.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34229",
"datePublished": "2025-09-29T20:41:05.882Z",
"dateReserved": "2025-04-15T19:15:22.574Z",
"dateUpdated": "2025-11-17T23:56:37.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34232 (GCVE-0-2025-34232)
Vulnerability from cvelistv5 – Published: 2025-09-29 20:34 – Updated: 2025-11-17 23:56
VLAI?
EPSS
Title
Vasion Print (formerly PrinterLogic) Blind SSRF via Lexmark dellCheck.php
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/lexmark/dellCheck.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer’s host name in the variable $printer_vo->str_host_address. The code later builds a URL like 'http://<host‑address>:80/DevMgmt/DiscoveryTree.xml' and sends the request with curl. No validation, whitelist, or private‑network filtering is performed before the request is made. Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Affected:
* , < 25.1.102
(semver)
|
|||||||
|
|||||||||
Credits
Pierre Barre
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34232",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:34:24.758273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:43:33.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-08"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/lexmark/dellCheck.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/lexmark/dellCheck.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/var/www/app/console_release/lexmark/dellCheck.php\u003c/span\u003e\u003c/span\u003e script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u0026gt;str_host_address. The code later builds a URL like \u0027http://\u0026lt;host\u2011address\u0026gt;:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u0026nbsp;Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/lexmark/dellCheck.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer\u2019s host name in the variable\u202f$printer_vo-\u003estr_host_address. The code later builds a URL like \u0027http://\u003chost\u2011address\u003e:80/DevMgmt/DiscoveryTree.xml\u0027 and sends the request with curl. No validation, whitelist, or private\u2011network filtering is performed before the request is made.\u00a0Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.646Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-08"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-blind-ssrf-via-lexmark-dellcheck-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) Blind SSRF via Lexmark dellCheck.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34232",
"datePublished": "2025-09-29T20:34:00.950Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:37.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34231 (GCVE-0-2025-34231)
Vulnerability from cvelistv5 – Published: 2025-09-29 20:40 – Updated: 2025-11-17 23:56
VLAI?
EPSS
Title
Vasion Print (formerly PrinterLogic) SSRF via HP badgeSetup.php
Summary
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The '/var/www/app/console_release/hp/badgeSetup.php' script is reachable from the Internet without any authentication and builds URLs from user‑controlled parameters before invoking either the custom processCurl() function or PHP’s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP‑range validation, or outbound‑network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Vasion | Print Virtual Appliance Host |
Affected:
* , < 25.1.102
(semver)
|
|||||||
|
|||||||||
Credits
Pierre Barre
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34231",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:32:50.691740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:42:25.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-07"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/badgeSetup.php"
],
"product": "Print Virtual Appliance Host",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.102",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"/var/www/app/console_release/hp/badgeSetup.php"
],
"product": "Print Application",
"vendor": "Vasion",
"versions": [
{
"lessThan": "25.1.1413",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.102",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.1.1413",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Barre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u0026nbsp;and Application prior to version 25.1.1413\u0026nbsp;(VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The \u0027/var/www/app/console_release/hp/badgeSetup.php\u0027 script is reachable from the Internet without any authentication and builds URLs from user\u2011controlled parameters before invoking either the custom processCurl() function or PHP\u2019s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP\u2011range validation, or outbound\u2011network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration.\u0026nbsp;This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.\u003cbr\u003e"
}
],
"value": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102\u00a0and Application prior to version 25.1.1413\u00a0(VA/SaaS deployments) contain a blind and non-blind server-side request forgery (SSRF) vulnerability. The \u0027/var/www/app/console_release/hp/badgeSetup.php\u0027 script is reachable from the Internet without any authentication and builds URLs from user\u2011controlled parameters before invoking either the custom processCurl() function or PHP\u2019s file_get_contents(); in both cases the hostname/URL is taken directly from the request with no whitelist, scheme restriction, IP\u2011range validation, or outbound\u2011network filtering. Consequently, any unauthenticated attacker can force the server to issue arbitrary HTTP requests to internal resources. This enables internal network reconnaissance, credential leakage, pivoting, and data exfiltration.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T23:56:37.493Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-ssrf-07"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-ssrf-via-hp-badgesetup-php-script"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vasion Print (formerly PrinterLogic) SSRF via HP badgeSetup.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34231",
"datePublished": "2025-09-29T20:40:11.596Z",
"dateReserved": "2025-04-15T19:15:22.575Z",
"dateUpdated": "2025-11-17T23:56:37.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…