Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:46345126
HistoryNov 01, 2022 - 12:00 a.m.

JVN#46345126: Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers

2022-11-0100:00:00
Japan Vulnerability Notes
jvn.jp
18
kyocera document solutions
multiple vulnerabilities
command center
session information easily guessable
missing authorization
stored cross-site scripting
firmware update
workaround
products affected

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

47.4%

JSON

The web interface “Command Center” of multiple MFPs and printers provided by KYOCERA Document Solutions Inc. contain multiple vulnerabilities listed below.

Session Information Easily Guessable (CWE-287) - CVE-2022-41798

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 6.3
CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P Base Score: 5.8

Missing authorization (CWE-425) - CVE-2022-41807

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 5.4
CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:N Base Score: 4.8

Stored cross-site scripting (CWE-79) - CVE-2022-41830

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score: 4.8
CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5

Impact

  • A network-adjacent attacker may log in to the product - CVE-2022-41798
  • A network-adjacent attacker may modify the product settings without authentication - CVE-2022-41807
  • An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege - CVE-2022-41830

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
For more information, contact your distributor.

Apply the workaround
Ensure the network connection is safe to avoid access from any untrusted peers.

  • Connect to a firewall-protected network
  • Connect to a network with a private IP address

Products Affected

A wide range of products are affected.
For more information, refer to the information provided by the developer.

Related

prion 3
cve 3
nvd 3
cvelist 3
prion
prion
Authorization
2022-12-05 04:15:00
Cross site scripting
2022-12-05 04:15:00
Code injection
2022-12-05 04:15:00
cve
cve
CVE-2022-41807
2022-12-05 04:15:10
CVE-2022-41798
2022-12-05 04:15:09
CVE-2022-41830
2022-12-05 04:15:10
nvd
nvd
CVE-2022-41807
2022-12-05 04:15:10
CVE-2022-41830
2022-12-05 04:15:10
CVE-2022-41798
2022-12-05 04:15:09
cvelist
cvelist
CVE-2022-41807
2022-12-05 00:00:00
CVE-2022-41798
2022-12-05 00:00:00
CVE-2022-41830
2022-12-05 00:00:00

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

47.4%

JSON
Related for JVN:46345126
prion3cve3nvd3cvelist3