Vasion Print Blind Server-Side Request Forgery Vulnerability via HP Log Off Single Sign-On Script

A blind server-side request forgery (SSRF) vulnerability has been identified in Vasion Print Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413, specifically in VA/SaaS deployments. The vulnerability is accessible through the /var/www/app/console_release/hp/log_off_single_sign_on.php script, allowing unauthenticated users to exploit it. When a printer is registered, the software saves the printer's host name, which is later used to build a URL that the application requests using curl. The vulnerability arises because the application does not validate, whitelist, or filter private network addresses before making the request. Although the exploitation is blind and the data cannot be seen directly, it could still be used to probe internal services, trigger internal actions, or collect other intelligence.

Impact

Exploitation of this vulnerability allows for blind SSRF, where an attacker can induce the server to make requests on their behalf. This could be used to probe internal services, trigger internal actions, or gather intelligence, all without direct visibility into the response.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 25.1.102 and Application version 25.1.1413 or later. Instructions for updating the Vasion Windows Client are available in the Vasion Print Client Updates documentation.