CRITICAL🇵🇱 Wersja polska

CVE-2025-27645

CVSS 9.8v3.1pub. 2025-03-05upd. 2025-11-03

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Insecure Extension Installation by Trusting HTTP Permission Methods on the Server Side V-2024-005.

🤖 AI Analysis
How it works

The application improperly verifies permissions during extension installation, trusting HTTP methods submitted by the client without proper server-side validation (CWE-863 — Improper Authorization). An attacker can remotely, without authentication and user interaction, send an HTTP request causing a malicious extension to be installed. The server accepts such a request, treating it as authorized based solely on the HTTP method.

Impact

An attacker can install a malicious extension on the print server, potentially leading to complete system takeover, loss of data confidentiality, breach of integrity, and disruption of printing service availability.

Mitigation & patch

Update Virtual Appliance Host to version 22.0.933 or later and Application to version 20.0.2368 or later. Detailed information is available in the vendor's security bulletin at help.printerlogic.com.

Who is affected

Vasion Print (formerly PrinterLogic) — Virtual Appliance Host in versions prior to 22.0.933 and Application in versions prior to 20.0.2368

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Printerlogic Vasion Print

    APP
    Printerlogic
    < 20.0.2368
  • Printerlogic Virtual Appliance

    APP
    Printerlogic
    < 22.0.933
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-27642CRITICAL9.8PL ✓ten sam produkt

Vasion Print / PrinterLogic — nieautoryzowana edycja pakietów sterowników

CVE-2025-27638CRITICAL9.8PL ✓ten sam produkt

Hardcoded Password w Vasion Print (PrinterLogic) — dostęp bez uwierzytelnienia

CVE-2025-27641CRITICAL9.8PL ✓ten sam produkt

Vasion Print / PrinterLogic — pominięcie uwierzytelnienia w API Single Sign-On

CVE-2025-27640CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Vasion Print (PrinterLogic) — zdalne przejęcie kontroli

CVE-2025-27643CRITICAL9.8PL ✓ten sam produkt

Zakodowany na stałe klucz AWS API w Vasion Print (PrinterLogic)