Home

Description

Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. Attackers can inject malicious scripts via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of arbitrary JavaScript in the context of an authenticated user's browser session.

PUBLISHED Reserved 2026-02-13 | Published 2026-02-18 | Updated 2026-02-19 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

MP-4200 TH
affected

Credits

Jonatas Fil finder

References

www.exploit-db.com/exploits/47648 (ExploitDB-47648) exploit

web.archive.org/...180814065516/https://www.bematech.com.br/ (Archived Bematech Homepage) product

www.legacyglobal.com/...8n8YIBKrFPFGFc5DKrxdMGChGQ-Y24i8MVQa (Legacy Hardware Page) product

www.vulncheck.com/...tech-printer-mp-th-cross-site-scripting (VulnCheck Advisory: Bematech Printer MP-4200 TH Cross-Site Scripting) third-party-advisory

cve.org (CVE-2019-25356)

nvd.nist.gov (CVE-2019-25356)

Download JSON