Lucene search

Canon_EMEACVE-2024-1621

HistorySep 02, 2024 - 8:15 p.m.

CVE-2024-1621

2024-09-0220:15:03

CWE-940

Canon_EMEA

web.nvd.nist.gov

uniflow online

registration process

nt-ware

email login

microsoft safe links

vulnerability

attacker

malicious users

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS4

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:L/SA:N

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

37.7%

JSON

The registration process of uniFLOW Online (NT-ware product) apps, prior to and including version 2024.1.0, can be compromised when email login is enabled on the tenant. Those tenants utilising email login in combination with Microsoft Safe Links or similar are impacted. This vulnerability may allow the attacker to register themselves against a genuine user in the system and allow malicious users with similar access and capabilities via the app to the existing genuine user.

Affected configurations

Nvd

Node

nt-wareuniflow_onlineRange≤2024.1.0-

nt-wareuniflow_onlineMatch-chrome

nt-wareuniflow_online_print_\&_scanMatch-andriod

nt-wareuniflow_online_print_\&_scanMatch-iphone_os

nt-wareuniflow_smartclientMatch-macos

nt-wareuniflow_smartclientMatch-windows

VendorProductVersionCPE
nt-wareuniflow_online*cpe:2.3:a:nt-ware:uniflow_online:*:*:*:*:*:-:*:*
nt-wareuniflow_online-cpe:2.3:a:nt-ware:uniflow_online:-:*:*:*:*:chrome:*:*
nt-wareuniflow_online_print_\&_scan-cpe:2.3:a:nt-ware:uniflow_online_print_\&_scan:-:*:*:*:*:andriod:*:*
nt-wareuniflow_online_print_\&_scan-cpe:2.3:a:nt-ware:uniflow_online_print_\&_scan:-:*:*:*:*:iphone_os:*:*
nt-wareuniflow_smartclient-cpe:2.3:a:nt-ware:uniflow_smartclient:-:*:*:*:*:macos:*:*
nt-wareuniflow_smartclient-cpe:2.3:a:nt-ware:uniflow_smartclient:-:*:*:*:*:windows:*:*

Vendor	Product	Version	CPE
nt-ware	uniflow_online	*	cpe:2.3:a:nt-ware:uniflow_online::::::-::*
nt-ware	uniflow_online	-	cpe:2.3:a:nt-ware:uniflow_online:-:::::chrome::
nt-ware	uniflow_online_print_\&_scan	-	cpe:2.3:a:nt-ware:uniflow_online_print_\&_scan:-:::::andriod::
nt-ware	uniflow_online_print_\&_scan	-	cpe:2.3:a:nt-ware:uniflow_online_print_\&_scan:-:::::iphone_os::
nt-ware	uniflow_smartclient	-	cpe:2.3:a:nt-ware:uniflow_smartclient:-:::::macos::
nt-ware	uniflow_smartclient	-	cpe:2.3:a:nt-ware:uniflow_smartclient:-:::::windows::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "uniFLOW SmartClient",
      "Mobile Application",
      "Chrome Extension"
    ],
    "product": "uniFLOW Online",
    "vendor": "NT-ware",
    "versions": [
      {
        "lessThanOrEqual": "2024.1.0 (including)",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

ntware.atlassian.net/wiki/spaces/SA/pages/12113215492/2024+Security+Advisory+Device+registration+susceptible+to+compromise

www.canon-europe.com/psirt/advisory-information/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS4

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:L/SA:N

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

37.7%

JSON

Related for CVE-2024-1621