Unprotected Session Information and Reboot Capabilities Exposed

CVE-2024-33610

9.1CRITICAL

Key Information

Vendor: Sharp Corporation
Status: Multiple Mfps (multifunction Printers)
Vendor: CVE Published:; 26 November 2024

Summary

"sessionlist.html" and "sys_trayentryreboot.html" are accessible with no authentication. "sessionlist.html" provides logged-in users' session information including session cookies, and "sys_trayentryreboot.html" allows to reboot the device. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].

Affected Version(s)

Multiple MFPs (multifunction printers) = See the information provided by Sharp Corporation listed under [References]

Multiple MFPs (multifunction printers) = See the information provided by Toshiba Tec Corporation listed under [References]

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Nov 26, 2024
Vulnerability Reserved.
May 22, 2024

Collectors

NVD DatabaseMitre Database