CVE-2022-25344

Name of the Vulnerable Software and Affected Versions Kyocera d-COLOR MF3555 version 2XD S000.002.271

Description A cross-site scripting (XSS) issue was discovered. The Web Application does not properly check parameters sent in a "/dvcset/sysset/set.cgi" POST request via the arg01.Hostname field before saving them on the server. The JavaScript malicious content is then reflected back to the end user and executed by the web browser.

Recommendations For Kyocera d-COLOR MF3555 version 2XD S000.002.271, as a temporary workaround, consider restricting access to the "/dvcset/sysset/set.cgi" API endpoint to minimize the risk of exploitation. Avoid using the arg01.Hostname field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.