cvelistv5 - cve-2024-36249

cve-2024-36249

Vulnerability from cvelistv5

Published

2024-11-26 07:38

Modified

2024-11-26 14:09

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Summary

Cross-site scripting vulnerability exists in Sharp Corporation and Toshiba Tech Corporation multiple MFPs (multifunction printers). If this vulnerability is exploited, an arbitrary script may be executed on the administrative page of the affected MFPs. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].

References

▼	URL	Tags
	vultures@jpcert.or.jp	https://global.sharp/products/copier/info/info_security_2024-05.html
	vultures@jpcert.or.jp	https://jp.sharp/business/print/information/info_security_2024-05.html
	vultures@jpcert.or.jp	https://jvn.jp/en/vu/JVNVU93051062/
	vultures@jpcert.or.jp	https://www.toshibatec.co.jp/information/20240531_02.html
	vultures@jpcert.or.jp	https://www.toshibatec.com/information/20240531_02.html

Impacted products

Vendor

Product

Version

▼

Sharp Corporation

Multiple MFPs (multifunction printers)

Version: See the information provided by Sharp Corporation listed under [References]

Toshiba Tec Corporation

Multiple MFPs (multifunction printers)

Version: See the information provided by Toshiba Tec Corporation listed under [References]

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36249",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-26T14:03:17.536595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-26T14:09:24.516Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Multiple MFPs (multifunction printers)",
          "vendor": "Sharp Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "See the information provided by Sharp Corporation listed under [References]"
            }
          ]
        },
        {
          "product": "Multiple MFPs (multifunction printers)",
          "vendor": "Toshiba Tec Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "See the information provided by Toshiba Tec Corporation listed under [References]"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability exists in Sharp Corporation and Toshiba Tech Corporation multiple MFPs (multifunction printers). If this vulnerability is exploited, an arbitrary script may be executed on the administrative page of the affected MFPs. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site scripting (XSS)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-26T07:38:18.359Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://global.sharp/products/copier/info/info_security_2024-05.html"
        },
        {
          "url": "https://jp.sharp/business/print/information/info_security_2024-05.html"
        },
        {
          "url": "https://www.toshibatec.com/information/20240531_02.html"
        },
        {
          "url": "https://www.toshibatec.co.jp/information/20240531_02.html"
        },
        {
          "url": "https://jvn.jp/en/vu/JVNVU93051062/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-36249",
    "datePublished": "2024-11-26T07:38:18.359Z",
    "dateReserved": "2024-05-22T09:00:09.251Z",
    "dateUpdated": "2024-11-26T14:09:24.516Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-36249\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2024-11-26T08:15:06.580\",\"lastModified\":\"2024-11-26T08:15:06.580\",\"vulnStatus\":\"Received\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting vulnerability exists in Sharp Corporation and Toshiba Tech Corporation multiple MFPs (multifunction printers). If this vulnerability is exploited, an arbitrary script may be executed on the administrative page of the affected MFPs. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de cross-site scripting en varias impresoras multifunci\u00f3n de Sharp Corporation y Toshiba Tech Corporation. Si se explota esta vulnerabilidad, se puede ejecutar una secuencia de comandos arbitraria en la p\u00e1gina administrativa de las impresoras multifunci\u00f3n afectadas. En cuanto a los detalles de los nombres de los productos afectados, los n\u00fameros de modelo y las versiones, consulte la informaci\u00f3n proporcionada por los respectivos proveedores que se enumeran en [Referencias].\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://global.sharp/products/copier/info/info_security_2024-05.html\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://jp.sharp/business/print/information/info_security_2024-05.html\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://jvn.jp/en/vu/JVNVU93051062/\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://www.toshibatec.co.jp/information/20240531_02.html\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://www.toshibatec.com/information/20240531_02.html\",\"source\":\"vultures@jpcert.or.jp\"}]}}"
  }
}

cve-2024-36249

Vulnerability from jvndb

Published

2024-06-03 14:36

Modified

2024-06-03 14:36

Severity ?

9.1 (Critical) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

Multiple vulnerabilities in Sharp and Toshiba Tec MFPs

Details

Sharp and Toshiba Tec MFPs (multifunction printers) contain multiple vulnerabilities listed below. * Stack-based Buffer Overflow (CWE-121) - CVE-2024-28038 * Incorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2024-28955 * Cleartext Storage of Sensitive Information (CWE-312) - CVE-2024-29146 * Plaintext Storage of a Password (CWE-256) - CVE-2024-29978 * Storing Passwords in a Recoverable Format (CWE-257) - CVE-2024-32151 * Path Traversal (CWE-22) - CVE-2024-33605 * Improper Access Control (CWE-284) - CVE-2024-33610, CVE-2024-33616 * Access to Critical Private Variable via Public Method (CWE-767) - CVE-2024-34162 * Use of Hard-coded Credentials (CWE-798) - CVE-2024-35244, CVE-2024-36248 * Cross-site Scripting (CWE-79) - CVE-2024-36249 * Out-of-bounds Read (CWE-125) - CVE-2024-36251, CVE-2024-36254 As for the vulnerabilities listed below, Pierre Barre reported them to JPCERT/CC, and JPCERT/CC coordinated with Sharp Corporation. CVE-2024-28038, CVE-2024-28955, CVE-2024-29146, CVE-2024-29978, CVE-2024-32151, CVE-2024-33605, CVE-2024-33610, CVE-2024-33616, CVE-2024-34162, CVE-2024-35244, CVE-2024-36248, CVE-2024-36251, CVE-2024-36254 As for the vulnerabilities listed below, Sharp Corporation received reports and coordinated with the reporters directly, and after the coordination was completed, Sharp reported them to JPCERT/CC to notify the users of the solutions through JVN. CVE-2024-33610, CVE-2024-36249, CVE-2024-36251, CVE-2024-36254

References

▼	Type	URL
	JVN	https://jvn.jp/en/vu/JVNVU93051062/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-28038
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-28955
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-29146
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-29978
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-32151
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-33605
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-33610
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-33616
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-34162
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-35244
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-36248
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-36249
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-36251
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-36254
	Stack-based Buffer Overflow(CWE-121)	https://cwe.mitre.org/data/definitions/121.html
	Out-of-bounds Read(CWE-125)	https://cwe.mitre.org/data/definitions/125.html
	Path Traversal(CWE-22)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Unprotected Storage of Credentials(CWE-256)	https://cwe.mitre.org/data/definitions/256.html
	Storing Passwords in a Recoverable Format(CWE-257)	https://cwe.mitre.org/data/definitions/257.html
	Improper Access Control(CWE-284)	https://cwe.mitre.org/data/definitions/284.html
	Cleartext Storage of Sensitive Information(CWE-312)	https://cwe.mitre.org/data/definitions/312.html
	Incorrect Permission Assignment for Critical Resource(CWE-732)	https://cwe.mitre.org/data/definitions/732.html
	Access to Critical Private Variable via Public Method(CWE-767)	https://cwe.mitre.org/data/definitions/767.html
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Use of Hard-coded Credentials(CWE-798)	https://cwe.mitre.org/data/definitions/798.html

Impacted products

▼	Vendor	Product
	Sharp Corporation	(Multiple Products)
	TOSHIBA TEC	(Multiple Products)

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003253.html",
  "dc:date": "2024-06-03T14:36+09:00",
  "dcterms:issued": "2024-06-03T14:36+09:00",
  "dcterms:modified": "2024-06-03T14:36+09:00",
  "description": "Sharp and Toshiba Tec MFPs (multifunction printers) contain multiple vulnerabilities listed below.\r\n\r\n  * Stack-based Buffer Overflow (CWE-121) - CVE-2024-28038\r\n  * Incorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2024-28955\r\n  * Cleartext Storage of Sensitive Information (CWE-312) - CVE-2024-29146\r\n  * Plaintext Storage of a Password (CWE-256) - CVE-2024-29978\r\n  * Storing Passwords in a Recoverable Format (CWE-257) - CVE-2024-32151\r\n  * Path Traversal (CWE-22) - CVE-2024-33605\r\n  * Improper Access Control (CWE-284) - CVE-2024-33610, CVE-2024-33616\r\n  * Access to Critical Private Variable via Public Method (CWE-767) - CVE-2024-34162\r\n  * Use of Hard-coded Credentials (CWE-798) - CVE-2024-35244, CVE-2024-36248\r\n  * Cross-site Scripting (CWE-79) - CVE-2024-36249\r\n  * Out-of-bounds Read (CWE-125) - CVE-2024-36251, CVE-2024-36254\r\n\r\nAs for the vulnerabilities listed below, Pierre Barre reported them to JPCERT/CC, and JPCERT/CC coordinated with Sharp Corporation.\r\nCVE-2024-28038, CVE-2024-28955, CVE-2024-29146, CVE-2024-29978, CVE-2024-32151, CVE-2024-33605, CVE-2024-33610, CVE-2024-33616, CVE-2024-34162, CVE-2024-35244, CVE-2024-36248, CVE-2024-36251, CVE-2024-36254\r\n\r\nAs for the vulnerabilities listed below, Sharp Corporation received reports and coordinated with the reporters directly, and after the coordination was completed, Sharp reported them to JPCERT/CC to notify the users of the solutions through JVN.\r\nCVE-2024-33610, CVE-2024-36249, CVE-2024-36251, CVE-2024-36254",
  "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003253.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:sharp:multiple_product",
      "@product": "(Multiple Products)",
      "@vendor": "Sharp Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:toshibatec:multiple_product",
      "@product": "(Multiple Products)",
      "@vendor": "TOSHIBA TEC",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "9.1",
    "@severity": "Critical",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2024-003253",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/vu/JVNVU93051062/index.html",
      "@id": "JVNVU#93051062",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-28038",
      "@id": "CVE-2024-28038",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-28955",
      "@id": "CVE-2024-28955",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-29146",
      "@id": "CVE-2024-29146",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-29978",
      "@id": "CVE-2024-29978",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-32151",
      "@id": "CVE-2024-32151",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-33605",
      "@id": "CVE-2024-33605",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-33610",
      "@id": "CVE-2024-33610",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-33616",
      "@id": "CVE-2024-33616",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-34162",
      "@id": "CVE-2024-34162",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-35244",
      "@id": "CVE-2024-35244",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-36248",
      "@id": "CVE-2024-36248",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-36249",
      "@id": "CVE-2024-36249",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-36251",
      "@id": "CVE-2024-36251",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-36254",
      "@id": "CVE-2024-36254",
      "@source": "CVE"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/121.html",
      "@id": "CWE-121",
      "@title": "Stack-based Buffer Overflow(CWE-121)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/125.html",
      "@id": "CWE-125",
      "@title": "Out-of-bounds Read(CWE-125)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-22",
      "@title": "Path Traversal(CWE-22)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/256.html",
      "@id": "CWE-256",
      "@title": "Unprotected Storage of Credentials(CWE-256)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/257.html",
      "@id": "CWE-257",
      "@title": "Storing Passwords in a Recoverable Format(CWE-257)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/284.html",
      "@id": "CWE-284",
      "@title": "Improper Access Control(CWE-284)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/312.html",
      "@id": "CWE-312",
      "@title": "Cleartext Storage of Sensitive Information(CWE-312)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/732.html",
      "@id": "CWE-732",
      "@title": "Incorrect Permission Assignment for Critical Resource(CWE-732)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/767.html",
      "@id": "CWE-767",
      "@title": "Access to Critical Private Variable via Public Method(CWE-767)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/798.html",
      "@id": "CWE-798",
      "@title": "Use of Hard-coded Credentials(CWE-798)"
    }
  ],
  "title": "Multiple vulnerabilities in Sharp and Toshiba Tec MFPs"
}

ghsa-97w9-7qcx-qc77

Vulnerability from github

Published

2024-11-26 09:30

Modified

2024-11-26 09:30

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-36249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-26T08:15:06Z",
    "severity": "HIGH"
  },
  "details": "Cross-site scripting vulnerability exists in Sharp Corporation and Toshiba Tech Corporation multiple MFPs (multifunction printers). If this vulnerability is exploited, an arbitrary script may be executed on the administrative page of the affected MFPs. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].",
  "id": "GHSA-97w9-7qcx-qc77",
  "modified": "2024-11-26T09:30:49Z",
  "published": "2024-11-26T09:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36249"
    },
    {
      "type": "WEB",
      "url": "https://global.sharp/products/copier/info/info_security_2024-05.html"
    },
    {
      "type": "WEB",
      "url": "https://jp.sharp/business/print/information/info_security_2024-05.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU93051062"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.co.jp/information/20240531_02.html"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/20240531_02.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-36249

Vulnerability from cvelistv5

cve-2024-36249

Vulnerability from jvndb

ghsa-97w9-7qcx-qc77

Vulnerability from github

Tags

Sightings

Nomenclature