Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.951 Application 20.0.2368 allows Unauthenticated APIs for Single-Sign On V-2024-009.
The Vasion Print application exposes certain API endpoints related to the Single Sign-On mechanism without requiring authentication (CWE-287 — improper authentication). A remote attacker, over the network, without any privileges or user interaction, can invoke these APIs and bypass access controls. The network vector (AV:N) and lack of attack complexity requirements (AC:L) make the exploit accessible to anyone with network access to the instance.
Successful exploitation of the vulnerability gives the attacker full access to sensitive data, the ability to modify print system configuration and data, and potential disruption of service availability — which corresponds to a C:H/I:H/A:H rating in the CVSS vector.
Update Vasion Print to Virtual Appliance Host version 22.0.951 or later and Application version 20.0.2368 or later. Detailed information is available in the manufacturer's security bulletin at: https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm
Vasion Print (formerly PrinterLogic) in Virtual Appliance Host versions prior to 22.0.951 and Application versions prior to 20.0.2368
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPrinterlogic Vasion Print
APPPrinterlogic< 20.0.2368Printerlogic Virtual Appliance
APPPrinterlogic< 22.0.951
Related vulnerabilities
Zakodowany na stałe klucz AWS API w Vasion Print (PrinterLogic)
Hardcoded Password w Vasion Print (PrinterLogic) — dostęp bez uwierzytelnienia
Vasion Print / PrinterLogic — nieautoryzowana edycja pakietów sterowników
SQL Injection w Vasion Print (PrinterLogic) — zdalne przejęcie kontroli
Vasion Print / PrinterLogic — niebezpieczna instalacja rozszerzeń przez HTTP