The web management interface for HP LaserJet Printers, HP Edgeline Printers, HP Photosmart Printers, and HP Digital Senders product lines exhibits a vulnerability which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. perform all administrative actions by enticing a logged-in administrator to visit a malicious site.

This was tested on devices such as an HP Photosmart C4700 series printer resulting in forced change of the device administrative password

See HP's updated security notice below for more insight. 

References:

CVE-2010-pending

BID:

FrSIRT: N/A

Nessus:N/A

OSVDB: 

SA: 34343  

XF: 

Related: CVE-2009-0940

Vendor Solution: HP Security Notice HPSN-2009-001 rev.2 - HP LaserJet Printers, HP Edgeline Printers, HP Photosmart Printers, and HP Digital Senders - Unverified Input