Vulnerability
PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored XSS vulnerabilities.
Prerequisites
To successfully exploit these vulnerabilities, an attacker must be authenticated and have the ability to update the configuration.
Exploit
In the printer configuration, the department field suffers from a stored XSS vulnerability
<script>alert("dept xss");</script>

In the print server configuration, the description field suffers from a stored XSS vulnerability
<script>alert("description xss");</script>

For authentication to print as guest, the username field suffers from a stored XSS vulnerability
<script>alert("guest xss");</script>

Timeline
04-23-18: Submitted incident through online form, no response
05-02-18: Emailed vendor, no response
05-07-18: Emailed vendor, no response
05-14-18: Emailed vendor, no response
05-15-18: New version released; Submitted public disclosure
Reference
Disclaimer
Content is for educational and research purposes only. Author doesn’t hold any responsibility over the misuse of the software, exploits or security findings contained herein and does not condone them whatsoever.