CVE-2009-2684

HP Printers - Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-2684. PoCs published by Digital Security Research Group, sh2kerr.

AI-analyzed exploit summary This advisory describes multiple stored XSS vulnerabilities in HP LaserJet printer web interfaces. The vulnerabilities allow attackers to inject malicious scripts via the 'Product_URL' and 'Tech_URL' parameters in the support_param.html/config page.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and the Embedded Web Server (EWS) on certain HP LaserJet and Color LaserJet printers, and HP Digital Senders, allow remote attackers to inject arbitrary web script or HTML via the (1) Product_URL or (2) Tech_URL parameter in an Apply action to the support_param.html/config script.

Exploits (2)

exploitdb WRITEUP VERIFIED
by Digital Security Research Group · textremotehardware
https://www.exploit-db.com/exploits/10011

This advisory describes multiple stored XSS vulnerabilities in HP LaserJet printer web interfaces. The vulnerabilities allow attackers to inject malicious scripts via the 'Product_URL' and 'Tech_URL' parameters in the support_param.html/config page.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: HP LaserJet printers (various models including 2200, 4350, 4600, 5500)
No auth needed
Prerequisites: Network access to the printer's web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by sh2kerr · textremotehardware
https://www.exploit-db.com/exploits/10055

This advisory describes multiple stored XSS vulnerabilities in HP LaserJet printer web interfaces, specifically in the support_param.html/config script. Attackers can inject malicious scripts via the Product_URL and Tech_URL parameters, which are then stored and executed when the support page is accessed.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: HP LaserJet printers (various models including 2200, 4350, 4600, 5500)
No auth needed
Prerequisites: Network access to the printer's web interface
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36613
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2850
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36969
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507038/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/53677
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=125493484205823&w=2

Scores

EPSS 0.0221
EPSS Percentile 80.3%

Details

CWE
CWE-79
Status published
Products (35)
hp/cm8050_mfp
hp/cm8060_mfp
hp/color_laserjet_3000n
hp/color_laserjet_3600n
hp/color_laserjet_3800n
hp/color_laserjet_4700n
hp/color_laserjet_4730_mfp
hp/color_laserjet_6040_mfp
hp/color_laserjet_cm4730_mfp
hp/color_laserjet_cp3505
... and 25 more
Published Oct 13, 2009
Tracked Since Feb 18, 2026