cbcvebase.

Vasion Print Application vulnerabilities

43 known vulnerabilities affecting vasion/print_application.

Total CVEs
43
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH17MEDIUM7

Vulnerabilities

Page 2 of 3
CVE-2025-34198P3CRITICALCVSS 9.8fixed in 20.0.23682025-09-19
CVE-2025-34198 [CRITICAL] CWE-798 CVE-2025-34198: Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Applicati Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Application prior to 20.0.2368 (VA and SaaS deployments) contain shared, hardcoded SSH host private keys in the appliance image. The same private host keys (RSA, ECDSA, and ED25519) are present across installations, rather than being uniquely generated per a
nvd
CVE-2025-34206P3CRITICALCVSS 9.8v*2025-09-19
CVE-2025-34206 [CRITICAL] CWE-312 CVE-2025-34206: Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) mount host configuration and secret material under /var/www/efs_storage into many Docker containers with overly-permissive filesystem permissions. Files such as secrets.env, GPG-encrypted blobs in .secrets, MySQL client keys, and application sessi
nvd
CVE-2025-34204P3CRITICALCVSS 9.8v*2025-09-19
CVE-2025-34204 [CRITICAL] CWE-269 CVE-2025-34204: Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) contains multiple Docker containers that run primary application processes (for example PHP workers, Node.js servers and custom binaries) as the root user. This increases the blast radius of a container compromise and enables lateral movement and
nvd
CVE-2025-34191P3HIGHCVSS 8.4fixed in 20.0.19232025-09-19
CVE-2025-34191 [HIGH] CWE-59 CVE-2025-34191: Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Applicati Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (macOS/Linux client deployments) contain an arbitrary file write vulnerability via the response file handling. When tasks produce output the service writes response data into files under /opt/PrinterInstallerClient/tmp/responses/ re
nvd
CVE-2025-34190P3HIGHCVSS 7.8fixed in 25.1.14132025-09-19
CVE-2025-34190 [HIGH] CWE-306 CVE-2025-34190: Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Applicati Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (macOS/Linux client deployments) are vulnerable to an authentication bypass in PrinterInstallerClientService. The service requires root privileges for certain administrative operations, but these checks rely on calls to ge
nvd
CVE-2025-34209P3HIGHCVSS 7.2fixed in 20.0.20142025-09-29
CVE-2025-34209 [HIGH] CWE-798 CVE-2025-34209: Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.862 and Application prior Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.862 and Application prior to 20.0.2014 (VA and SaaS deployments) contain Docker images with the private GPG key and passphrase for the account *no‑reply+virtual‑[email protected]*. The key is stored in cleartext and the passphrase is hardcoded in files. An attacker with
nvd
CVE-2025-34199P3HIGHCVSS 8.1fixed in 20.0.27862025-09-19
CVE-2025-34199 [HIGH] CWE-295 CVE-2025-34199: Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Applicat Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 (VA and SaaS deployments) contain insecure defaults and code patterns that disable TLS/SSL certificate verification for communications to printers and internal microservices. In multiple places, the application sets libcu
nvd
CVE-2025-34200P3HIGHCVSS 7.8v*2025-09-19
CVE-2025-34200 [HIGH] CWE-312 CVE-2025-34200: Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) provision the appliance with the network account credentials in clear-text inside /etc/issue, and the file is world-readable by default. An attacker with local shell access can read /etc/issue to obtain the network account username and password. Using
nvd
CVE-2025-34197P3HIGHCVSS 7.8fixed in 20.0.23682025-09-19
CVE-2025-34197 [HIGH] CWE-798 CVE-2025-34197: Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951, Application Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951, Application prior to 20.0.2368 (VA and SaaS deployments) contain an undocumented local user account named ubuntu with a preset password and a sudoers entry granting that account passwordless root privileges (ubuntu ALL=(ALL) NOPASSWD: ALL). Anyone who knows the hard
nvd
CVE-2025-34194P3HIGHCVSS 7.8fixed in 25.1.14132025-09-19
CVE-2025-34194 [HIGH] CWE-59 CVE-2025-34194: Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Applicati Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (Windows client deployments) contain an insecure temporary-file handling vulnerability in the PrinterInstallerClient components. The software creates files as NT AUTHORITY\SYSTEM inside a directory under the control of the
nvd
CVE-2025-34235P3HIGHCVSS 7.8fixed in 25.1.14132025-09-29
CVE-2025-34235 [HIGH] CWE-295 CVE-2025-34235: Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Applicatio Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (Windows client deployments) contain a registry key that can be enabled by administrators, causing the client to skip SSL/TLS certificate validation. An attacker who can intercept HTTPS traffic can then inject malicious driv
nvd
CVE-2025-34189P3HIGHCVSS 7.8fixed in 20.0.13302025-09-19
CVE-2025-34189 [HIGH] CWE-732 CVE-2025-34189: Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Applicatio Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Application versions prior to 20.0.1330 (macOS/Linux client deployments) contain a vulnerability in the local inter-process communication (IPC) mechanism. The software stores IPC request and response files inside /opt/PrinterInstallerClient/tmp with world-readabl
nvd
CVE-2025-34208P3HIGHCVSS 7.5v*2025-10-02
CVE-2025-34208 [HIGH] CWE-327 CVE-2025-34208: Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) st Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpContro
nvd
CVE-2025-34234P3HIGHCVSS 7.5fixed in 25.1.14132025-09-29
CVE-2025-34234 [HIGH] CWE-321 CVE-2025-34234: Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Applicatio Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www
nvd
CVE-2025-34188P3HIGHCVSS 7.8fixed in 20.0.13302025-09-19
CVE-2025-34188 [HIGH] CWE-532 CVE-2025-34188: Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Applicatio Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Application prior to 20.0.1330 (macOS/Linux client deployments) contain a vulnerability in the local logging mechanism. Authentication session tokens, including PHPSESSID, XSRF-TOKEN, and laravel_session, are stored in cleartext within world-readable log files. A
nvd
CVE-2025-34201P3HIGHCVSS 7.8v*2025-09-19
CVE-2025-34201 [HIGH] CWE-653 CVE-2025-34201: Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) run many Docker containers on shared internal networks without firewalling or segmentation between instances. A compromise of any single container allows direct access to internal services (HTTP, Redis, MySQL, etc.) on the overlay network. From a comp
nvd
CVE-2025-34229P3MEDIUMCVSS 5.8fixed in 25.1.14132025-09-29
CVE-2025-34229 [MEDIUM] CWE-306 CVE-2025-34229: Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Applicatio Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/installApp.php script that can be exploited by an unauthenticated user. When a printe
nvd
CVE-2025-34230P3MEDIUMCVSS 5.8fixed in 25.1.14132025-09-29
CVE-2025-34230 [MEDIUM] CWE-306 CVE-2025-34230: Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Applicatio Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/hp/log_off_single_sign_on.php script that can be exploited by an unauthenticated user. W
nvd
CVE-2025-34233P3MEDIUMCVSS 6.8fixed in 25.1.14132025-09-29
CVE-2025-34233 [MEDIUM] CWE-918 CVE-2025-34233: Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Applicatio Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a protection mechanism failure vulnerability within the file_get_contents() function. When an administrator configures a printer’s hostname (or similar callback field), the value is passed unc
nvd
CVE-2025-34232P4MEDIUMCVSS 5.3fixed in 25.1.14132025-09-29
CVE-2025-34232 [MEDIUM] CWE-306 CVE-2025-34232: Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Applicatio Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/lexmark/dellCheck.php script that can be exploited by an unauthenticated user. When a pr
nvd
Vasion Print Application vulnerabilities | cvebase