La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: CWE-400: Denial of Service
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25343
CVSv3: 7.5
Severity: High
Credits: Mattia Campanelli, Luca Carbone, Massimiliano Brolli
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Denial of Service. An unauthenticated attacker, who can send POST requests to the /download/set.cgi page by manipulating the failhtmfile variable, is able to cause interruption of the service provided by the Web Application.
NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.
Step-by-step instructions and PoC
The vulnerability is an unauthenticated POST request to the page /download/set.cgi. The web application get on system error by manipulating the variable failhtmfile and adding a relative path to a non-existent file, with most of the common path traversal payloads:
…and so on.
After that, all the resources of the Web Application will answer 404 Not Found, until the printer is restarted.
Affected Endpoints
Below are the evidences with the vulnerability details and the payloads used.
Figure 1: System error - 404 Not Found on all resources