JVN#34328023 FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery
JVN#34328023
FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery
FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery
Overview FUJIFILM Business Innovation Corp. printers contain a cross-site request forgery vulnerability. Products Affected As for the details of affected product names, model numbers, and versions, refer to the information provided by the vendor listed below. Description Multiple printers provided by FUJIFILM Business Innovation Corp. contain a cross-site request forgery vulnerability (CWE-352). Impact If a user views a malicious page while logging in, the user information may be altered. In the case the user is an administrator, the settings such as the administrator’s ID, password, etc. may be altered. Solution Apply workarounds The developer states that there are some obsolite models where CSRF prevention function is not implemented. For those models, applying the following workaround may mitigate the impact of this vulnerability. Disable Web UI communication function in the product’s settings Vendor Status Vendor Link FUJIFILM Business Innovation Corp. Notification on the vulnerability for CentreWare Internet Services or Internet Services in FUJIFILM printers References JPCERT/CC Addendum Vulnerability Analysis by JPCERT/CC Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N) Attack Complexity(AC) High (H) Low (L) Privileges Required(PR) High (H) Low (L) None (N) User Interaction(UI) Required (R) None (N) Scope(S) Unchanged (U) Changed (C) Confidentiality Impact(C) None (N) Low (L) High (H) Integrity Impact(I) None (N) Low (L) High (H) Availability Impact(A) None (N) Low (L) High (H) Access Vector(AV) Local (L) Adjacent Network (A) Network (N) Access Complexity(AC) High (H) Medium (M) Low (L) Authentication(Au) Multiple (M) Single (S) None (N) Confidentiality Impact(C) None (N) Partial (P) Complete (C) Integrity Impact(I) None (N) Partial (P) Complete (C) Availability Impact(A) None (N) Partial (P) Complete (C) Credit Junnosuke Kushibiki, Ryu Kuki, Masataka Mizokuchi, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Other Information JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
CVE-2024-27974
JVN iPedia
JVNDB-2024-000027