CVE-2019-19773 [Medium] | XSS in Cs31x Firmware

Various Lexmark products have stored XSS in the embedded web server used in older generation Lexmark devices. Affected products are available in http://support.lexmark.com/index?page=content&id=TE935&locale=en&userlocale=EN_US.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-21	0.34%	0.35%	+0.01%
2	2025-11-18	0.35%	0.34%	-0.01%
3	2025-03-30	—	0.35%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-11-21

0.34%

0.35%

+0.01%

2025-11-18

0.35%

0.34%

-0.01%

2025-03-30

—

0.35%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.4	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	2.3	2.7	[email protected]
3.5	2.0	LOW	`AV:N/AC:M/Au:S/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:S) A single authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	6.8	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.4

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

2.3

2.7

[email protected]

3.5

2.0

LOW

AV:N/AC:M/Au:S/C:N/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:S): A single authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

6.8

2.9

[email protected]

Affected software / configurations for CVE-2019-19773

Vendor	Product	Version	Raw CPE
lexmark	cs31x_firmware	<= lw74.vyl.p267	cpe:2.3:o:lexmark:cs31x_firmware::::::::
lexmark	cs41x_firmware	<= lw74.vy2.p267	cpe:2.3:o:lexmark:cs41x_firmware::::::::
lexmark	cs51x_firmware	<= lw74.vy4.p267	cpe:2.3:o:lexmark:cs51x_firmware::::::::
lexmark	cx310_firmware	<= lw74.gm2.p267	cpe:2.3:o:lexmark:cx310_firmware::::::::
lexmark	cx410_firmware	<= lw74.gm4.p267	cpe:2.3:o:lexmark:cx410_firmware::::::::
lexmark	xc2130_firmware	<= lw74.gm4.p267	cpe:2.3:o:lexmark:xc2130_firmware::::::::
lexmark	cx510_firmware	<= lw74.gm7.p267	cpe:2.3:o:lexmark:cx510_firmware::::::::
lexmark	xc2132_firmware	<= lw74.gm7.p267	cpe:2.3:o:lexmark:xc2132_firmware::::::::
lexmark	ms310_firmware	<= lw74.prl.p267	cpe:2.3:o:lexmark:ms310_firmware::::::::
lexmark	ms312_firmware	<= lw74.prl.p267	cpe:2.3:o:lexmark:ms312_firmware::::::::
lexmark	ms317_firmware	<= lw74.prl.p267	cpe:2.3:o:lexmark:ms317_firmware::::::::
lexmark	ms410_firmware	<= lw74.prl.p267	cpe:2.3:o:lexmark:ms410_firmware::::::::
lexmark	m1140_firmware	<= lw74.prl.p267	cpe:2.3:o:lexmark:m1140_firmware::::::::
lexmark	ms315_firmware	<= lw74.tl2.p267	cpe:2.3:o:lexmark:ms315_firmware::::::::
lexmark	ms415_firmware	<= lw74.tl2.p267	cpe:2.3:o:lexmark:ms415_firmware::::::::
lexmark	ms417_firmware	<= lw74.tl2.p267	cpe:2.3:o:lexmark:ms417_firmware::::::::
lexmark	ms51x_firmware	<= lw74.pr2.p267	cpe:2.3:o:lexmark:ms51x_firmware::::::::
lexmark	ms610dn_firmware	<= lw74.pr2.p267	cpe:2.3:o:lexmark:ms610dn_firmware::::::::
lexmark	ms617_firmware	<= lw74.pr2.p267	cpe:2.3:o:lexmark:ms617_firmware::::::::
lexmark	m1145_firmware	<= lw74.pr2.p267	cpe:2.3:o:lexmark:m1145_firmware::::::::
lexmark	m3150dn_firmware	<= lw74.pr2.p267	cpe:2.3:o:lexmark:m3150dn_firmware::::::::
lexmark	ms610de_firmware	<= lw74.pr4.p267	cpe:2.3:o:lexmark:ms610de_firmware::::::::
lexmark	m3150_firmware	<= lw74.pr4.p267	cpe:2.3:o:lexmark:m3150_firmware::::::::
lexmark	ms71x_firmware	<= lw74.dn2.p267	cpe:2.3:o:lexmark:ms71x_firmware::::::::
lexmark	m5163dn_firmware	<= lw74.dn2.p267	cpe:2.3:o:lexmark:m5163dn_firmware::::::::
lexmark	ms810_firmware	<= lw74.dn2.p267	cpe:2.3:o:lexmark:ms810_firmware::::::::
lexmark	ms811_firmware	<= lw74.dn2.p267	cpe:2.3:o:lexmark:ms811_firmware::::::::
lexmark	ms812_firmware	<= lw74.dn2.p267	cpe:2.3:o:lexmark:ms812_firmware::::::::
lexmark	ms817_firmware	<= lw74.dn2.p267	cpe:2.3:o:lexmark:ms817_firmware::::::::
lexmark	ms818_firmware	<= lw74.dn2.p267	cpe:2.3:o:lexmark:ms818_firmware::::::::
lexmark	ms810de_firmware	<= lw74.dn4.p267	cpe:2.3:o:lexmark:ms810de_firmware::::::::
lexmark	m5155_firmware	<= lw74.dn4.p267	cpe:2.3:o:lexmark:m5155_firmware::::::::
lexmark	m5163_firmware	<= lw74.dn4.p267	cpe:2.3:o:lexmark:m5163_firmware::::::::
lexmark	ms812de_firmware	<= lw74.dn7.p267	cpe:2.3:o:lexmark:ms812de_firmware::::::::
lexmark	m5170_firmware	<= lw74.dn7.p267	cpe:2.3:o:lexmark:m5170_firmware::::::::
lexmark	ms91x_firmware	<= lw74.sa.p267	cpe:2.3:o:lexmark:ms91x_firmware::::::::
lexmark	mx31x_firmware	<= lw74.sb2.p267	cpe:2.3:o:lexmark:mx31x_firmware::::::::
lexmark	xm1135_firmware	<= lw74.sb2.p267	cpe:2.3:o:lexmark:xm1135_firmware::::::::
lexmark	mx410_firmware	<= lw74.sb4.p267	cpe:2.3:o:lexmark:mx410_firmware::::::::
lexmark	mx510_firmware	<= lw74.sb4.p267	cpe:2.3:o:lexmark:mx510_firmware::::::::
lexmark	mx511_firmware	<= lw74.sb4.p267	cpe:2.3:o:lexmark:mx511_firmware::::::::
lexmark	xm1140_firmware	<= lw74.sb4.p267	cpe:2.3:o:lexmark:xm1140_firmware::::::::
lexmark	xm1145_firmware	<= lw74.sb4.p267	cpe:2.3:o:lexmark:xm1145_firmware::::::::
lexmark	mx610_firmware	<= lw74.sb7.p267	cpe:2.3:o:lexmark:mx610_firmware::::::::
lexmark	mx611_firmware	<= lw74.sb7.p267	cpe:2.3:o:lexmark:mx611_firmware::::::::
lexmark	xm3150_firmware	<= lw74.sb7.p267	cpe:2.3:o:lexmark:xm3150_firmware::::::::
lexmark	mx71x_firmware	<= lw74.tu.p267	cpe:2.3:o:lexmark:mx71x_firmware::::::::
lexmark	mx81x_firmware	<= lw74.tu.p267	cpe:2.3:o:lexmark:mx81x_firmware::::::::
lexmark	xm51xx_firmware	<= lw74.tu.p267	cpe:2.3:o:lexmark:xm51xx_firmware::::::::
lexmark	xm71xx_firmware	<= lw74.tu.p267	cpe:2.3:o:lexmark:xm71xx_firmware::::::::
lexmark	mx91x_firmware	<= lw74.mg.p267	cpe:2.3:o:lexmark:mx91x_firmware::::::::
lexmark	xm91x_firmware	<= lw74.mg.p267	cpe:2.3:o:lexmark:xm91x_firmware::::::::
lexmark	mx6500e_firmware	<= lw74.jd.p267	cpe:2.3:o:lexmark:mx6500e_firmware::::::::
lexmark	c746_firmware	<= lhs60.cm2.p731	cpe:2.3:o:lexmark:c746_firmware::::::::
lexmark	c748_firmware	<= lhs60.cm4.p735	cpe:2.3:o:lexmark:c748_firmware::::::::
lexmark	cs748_firmware	<= lhs60.cm4.p735	cpe:2.3:o:lexmark:cs748_firmware::::::::
lexmark	c792_firmware	<= lhs60.hc.p735	cpe:2.3:o:lexmark:c792_firmware::::::::
lexmark	cs796_firmware	<= lhs60.hc.p735	cpe:2.3:o:lexmark:cs796_firmware::::::::
lexmark	c925_firmware	<= lhs60.hv.p735	cpe:2.3:o:lexmark:c925_firmware::::::::
lexmark	c950_firmware	<= lhs60.tp.p735	cpe:2.3:o:lexmark:c950_firmware::::::::
lexmark	x548_firmware	<= lhs60.vk.p735	cpe:2.3:o:lexmark:x548_firmware::::::::
lexmark	xs548_firmware	<= lhs60.vk.p735	cpe:2.3:o:lexmark:xs548_firmware::::::::
lexmark	x74x_firmware	<= lhs60.ny.p735	cpe:2.3:o:lexmark:x74x_firmware::::::::
lexmark	xs748_firmware	<= lhs60.ny.p735	cpe:2.3:o:lexmark:xs748_firmware::::::::
lexmark	x792_firmware	<= lhs60.mr.p735	cpe:2.3:o:lexmark:x792_firmware::::::::
lexmark	xs79x_firmware	<= lhs60.mr.p735	cpe:2.3:o:lexmark:xs79x_firmware::::::::
lexmark	x925_firmware	<= lhs60.hk.p735	cpe:2.3:o:lexmark:x925_firmware::::::::
lexmark	xs925_firmware	<= lhs60.hk.p735	cpe:2.3:o:lexmark:xs925_firmware::::::::
lexmark	x95x_firmware	<= lhs60.tq.p735	cpe:2.3:o:lexmark:x95x_firmware::::::::
lexmark	xs95x_firmware	<= lhs60.tq.p735	cpe:2.3:o:lexmark:xs95x_firmware::::::::
lexmark	6500e_firmware	<= lhs60.jr.p735	cpe:2.3:o:lexmark:6500e_firmware::::::::
lexmark	c734_firmware	<= lr.sk.p822	cpe:2.3:o:lexmark:c734_firmware::::::::
lexmark	c736_firmware	<= lr.ske.p822	cpe:2.3:o:lexmark:c736_firmware::::::::
lexmark	e46x_firmware	<= lr.lbh.p822	cpe:2.3:o:lexmark:e46x_firmware::::::::
lexmark	t65x_firmware	<= lr.jp.p822	cpe:2.3:o:lexmark:t65x_firmware::::::::
lexmark	x46x_firmware	<= lr.bs.p822	cpe:2.3:o:lexmark:x46x_firmware::::::::
lexmark	x65x_firmware	<= lr.mn.p822	cpe:2.3:o:lexmark:x65x_firmware::::::::
lexmark	x73x_firmware	<= lr.fl.p822	cpe:2.3:o:lexmark:x73x_firmware::::::::
lexmark	w850_firmware	<= lp.jb.p821	cpe:2.3:o:lexmark:w850_firmware::::::::
lexmark	x86x_firmware	<= lp.sp.p821	cpe:2.3:o:lexmark:x86x_firmware::::::::

References for CVE-2019-19773

URL	Tags
http://support.lexmark.com/index?page=content&id=TE935&locale=en&userlocale=EN_US	Vendor Advisory

URL

CVE-2019-19773

Exploit prediction scoring system (EPSS) score for CVE-2019-19773

Common vulnerability scoring system (CVSS) metrics for CVE-2019-19773

Weakness enumeration for CVE-2019-19773

Affected software / configurations for CVE-2019-19773

References for CVE-2019-19773