CVE-2019-25356

MEDIUM

Bematech MP-4200 TH - XSS

Title source: llm

Description

Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. Attackers can inject malicious scripts via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of arbitrary JavaScript in the context of an authenticated user's browser session.

Exploits (1)

exploitdb WORKING POC

by Jonatas Fil · textdoshardware

https://www.exploit-db.com/exploits/47648

View Code ZIP pw:eip

References (4)

[Various Sources] https://web.archive.org/web/20180814065516/https://www.bematech.com.br/

[Various Sources] https://www.legacyglobal.com/products/bematech-formerly-logic-controls-mp-4200-thermal-receipt-printer/?srsltid=AfmBOor3LXakwJp10bE_8n8YIBKrFPFGFc5DKrxdMGChGQ-Y24i8MVQa

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47648

[Third Party Advisory] https://www.vulncheck.com/advisories/bematech-printer-mp-th-cross-site-scripting

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 3.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Bematech/MP-4200 MP-4200 TH

Published Feb 18, 2026

Tracked Since Feb 19, 2026