Cross-site request forgery in FUJIFILM printers



Published: 2024-03-06
Risk Low
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2024-27974
CWE-ID CWE-352
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		DocuPrint P455 d
Hardware solutions / Office equipment, IP-phones, print servers

DocuPrint M455 df
Hardware solutions / Office equipment, IP-phones, print servers

DocuPrint C2255
Hardware solutions / Office equipment, IP-phones, print servers

DocuCentre-IV C2260
Hardware solutions / Office equipment, IP-phones, print servers

DocuCentre-IV C2270
Hardware solutions / Office equipment, IP-phones, print servers

DocuCentre-IV C3370
Hardware solutions / Office equipment, IP-phones, print servers

DocuCentre-IV C4470
Hardware solutions / Office equipment, IP-phones, print servers

DocuCentre-IV C5570
Hardware solutions / Office equipment, IP-phones, print servers

ApeosPort-IV C2270
Hardware solutions / Office equipment, IP-phones, print servers

ApeosPort-IV C3370
Hardware solutions / Office equipment, IP-phones, print servers

ApeosPort-IV C4470
Hardware solutions / Office equipment, IP-phones, print servers

ApeosPort-IV C5570
Hardware solutions / Office equipment, IP-phones, print servers

ApeosPort-IV C2270 R
Hardware solutions / Office equipment, IP-phones, print servers

ApeosPort-IV C3370 R
Hardware solutions / Office equipment, IP-phones, print servers

ApeosPort-IV C4470 R
Hardware solutions / Office equipment, IP-phones, print servers

ApeosPort-IV C5570 R
Hardware solutions / Office equipment, IP-phones, print servers

ApeosWide 6050/3030
Hardware solutions / Office equipment, IP-phones, print servers

DocuWide 6057/3037
Hardware solutions / Office equipment, IP-phones, print servers

DocuWide 6055
Hardware solutions / Office equipment, IP-phones, print servers

DocuWide 3035
Hardware solutions / Office equipment, IP-phones, print servers

Vendor FUJIFILM Business Innovation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cross-site request forgery

EUVDB-ID: #VU87139

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2024-27974

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the CentreWare Internet Services and Internet Services. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

DocuPrint P455 d: All versions

DocuPrint M455 df: All versions

DocuPrint C2255: All versions

DocuCentre-IV C2260: All versions

DocuCentre-IV C2270: All versions

DocuCentre-IV C3370: All versions

DocuCentre-IV C4470: All versions

DocuCentre-IV C5570: All versions

ApeosPort-IV C2270: All versions

ApeosPort-IV C3370: All versions

ApeosPort-IV C4470: All versions

ApeosPort-IV C5570: All versions

ApeosPort-IV C2270 R: All versions

ApeosPort-IV C3370 R: All versions

ApeosPort-IV C4470 R: All versions

ApeosPort-IV C5570 R: All versions

ApeosWide 6050/3030: All versions

DocuWide 6057/3037: All versions

DocuWide 6055: All versions

DocuWide 3035: All versions

External links

http://jvn.jp/en/jp/JVN34328023/index.html
http://www.fujifilm.com/fbglobal/eng/company/news/notice/2024/0306_1_announce.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###