CVE-2018-17944
MEDIUMLexmark CX725h/CX820/CX825/CX860/XC4150/XC6152/XC8155/XC8160 Firmware - Unauthenticated LDAP/SMTP Credential Exposure
Title source: llmDescription
On certain Lexmark devices that communicate with an LDAP or SMTP server, a malicious administrator can discover LDAP or SMTP credentials by changing that server's hostname to one that they control, and then capturing the credentials that are sent there. This occurs because stored credentials are not automatically deleted upon that type of hostname change.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
http://support.lexmark.com/index?page=content&id=TE909
Scores
CVSS v3
4.9
EPSS
0.0089
EPSS Percentile
54.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (8)
lexmark/cx725h_firmware
lexmark/cx820_firmware
lexmark/cx825_firmware
lexmark/cx860_firmware
lexmark/xc4150_firmware
lexmark/xc6152_firmware
lexmark/xc8155_firmware
lexmark/xc8160_firmware
Published
Mar 12, 2019
Tracked Since
Feb 18, 2026