Lucene search

Ecc0f906-8666-484c-bcf8-c3b7520a72f0NVD:CVE-2024-27163

HistoryJun 14, 2024 - 4:15 a.m.

CVE-2024-27163

2024-06-1404:15:32

CWE-319

ecc0f906-8666-484c-bcf8-c3b7520a72f0

web.nvd.nist.gov

toshiba printers

clear-text password

http requests

admin user

xss vulnerability

compromise

cvss score

vulnerability

contact point

affected products

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

15.5%

JSON

Toshiba printers will display the password of the admin user in clear-text and additional passwords when sending 2 specific HTTP requests to the internal API. An attacker stealing the cookie of an admin or abusing a XSS vulnerability can recover this password in clear-text and compromise the printer. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the “Base Score” of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point.
https://www.toshibatec.com/contacts/products/
As for the affected products/models/versions, see the reference URL.

References

jvn.jp/en/vu/JVNVU97136265/index.html

www.toshibatec.com/information/20240531_01.html

www.toshibatec.com/information/pdf/information20240531_01.pdf

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2024-27163