#VU87139 Cross-site request forgery in FUJIFILM Business Innovation products - CVE-2024-27974


Vulnerability identifier: #VU87139

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-27974

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
DocuPrint P455 d
Hardware solutions / Office equipment, IP-phones, print servers
DocuPrint M455 df
Hardware solutions / Office equipment, IP-phones, print servers
DocuPrint C2255
Hardware solutions / Office equipment, IP-phones, print servers
DocuCentre-IV C2260
Hardware solutions / Office equipment, IP-phones, print servers
DocuCentre-IV C2270
Hardware solutions / Office equipment, IP-phones, print servers
DocuCentre-IV C3370
Hardware solutions / Office equipment, IP-phones, print servers
DocuCentre-IV C4470
Hardware solutions / Office equipment, IP-phones, print servers
DocuCentre-IV C5570
Hardware solutions / Office equipment, IP-phones, print servers
ApeosPort-IV C2270
Hardware solutions / Office equipment, IP-phones, print servers
ApeosPort-IV C3370
Hardware solutions / Office equipment, IP-phones, print servers
ApeosPort-IV C4470
Hardware solutions / Office equipment, IP-phones, print servers
ApeosPort-IV C5570
Hardware solutions / Office equipment, IP-phones, print servers
ApeosPort-IV C2270 R
Hardware solutions / Office equipment, IP-phones, print servers
ApeosPort-IV C3370 R
Hardware solutions / Office equipment, IP-phones, print servers
ApeosPort-IV C4470 R
Hardware solutions / Office equipment, IP-phones, print servers
ApeosPort-IV C5570 R
Hardware solutions / Office equipment, IP-phones, print servers
ApeosWide 6050/3030
Hardware solutions / Office equipment, IP-phones, print servers
DocuWide 6057/3037
Hardware solutions / Office equipment, IP-phones, print servers
DocuWide 6055
Hardware solutions / Office equipment, IP-phones, print servers
DocuWide 3035
Hardware solutions / Office equipment, IP-phones, print servers

Vendor: FUJIFILM Business Innovation

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the CentreWare Internet Services and Internet Services. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

DocuPrint P455 d: All versions

DocuPrint M455 df: All versions

DocuPrint C2255: All versions

DocuCentre-IV C2260: All versions

DocuCentre-IV C2270: All versions

DocuCentre-IV C3370: All versions

DocuCentre-IV C4470: All versions

DocuCentre-IV C5570: All versions

ApeosPort-IV C2270: All versions

ApeosPort-IV C3370: All versions

ApeosPort-IV C4470: All versions

ApeosPort-IV C5570: All versions

ApeosPort-IV C2270 R: All versions

ApeosPort-IV C3370 R: All versions

ApeosPort-IV C4470 R: All versions

ApeosPort-IV C5570 R: All versions

ApeosWide 6050/3030: All versions

DocuWide 6057/3037: All versions

DocuWide 6055: All versions

DocuWide 3035: All versions

External links
https://jvn.jp/en/jp/JVN34328023/index.html
https://www.fujifilm.com/fbglobal/eng/company/news/notice/2024/0306_1_announce.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Cross-site request forgery in FUJIFILM printers