Unprotected Session Information and Reboot Capabilities Exposed
CVE-2024-33610

9.1CRITICAL

Key Information:

Vendor: Sharp Corporation
Status: Multiple Mfps (multifunction Printers)
Vendor: CVE Published:; 26 November 2024

Summary

The vulnerability described in CVE-2024-33610 affects select Sharp and Toshiba multifunction printers, where specific HTML pages such as 'sessionlist.html' and 'sys_trayentryreboot.html' are accessible without authentication. The 'sessionlist.html' page can expose sensitive session information, including session cookies of logged-in users, while 'sys_trayentryreboot.html' functions allow unauthorized users to reboot the printer devices. This could lead to potential unauthorized control over the device and session hijacking, posing significant security risks.

Affected Version(s)

Multiple MFPs (multifunction printers) See the information provided by Sharp Corporation listed under [References]

Multiple MFPs (multifunction printers) See the information provided by Toshiba Tec Corporation listed under [References]

References

https://global.sharp/products/copier/info/info_security_2...

https://jp.sharp/business/print/information/info_security...

https://www.toshibatec.com/information/20240531_02.html

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
May 22, 2024