Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-27142
PUBLISHED
More InfoOfficial Page
Assigner-Toshiba
Assigner Org ID-ecc0f906-8666-484c-bcf8-c3b7520a72f0
View Known Exploited Vulnerability (KEV) details
Published At-14 Jun, 2024 | 02:28
Updated At-13 Feb, 2025 | 17:41
Rejected At-
▼CVE Numbering Authority (CNA)
Pre-authenticated XXE injection

Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity (XXE) vulnerability. An attacker can DoS the printers. An attacker can exploit the XXE to retrieve information. As for the affected products/models/versions, see the reference URL.

Affected Products
Vendor
Toshiba Tec Corporation
Product
Toshiba Tec e-Studio multi-function peripheral (MFP)
Platforms
  • Linux
Default Status
unaffected
Versions
Affected
  • see the reference URL
Problem Types
TypeCWE IDDescription
CWECWE-776CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-197CAPEC-197 Exponential Data Expansion
Solutions

This issue is fixed in the version released on June 14, 2024 and all later versions.

Configurations
Workarounds

When connecting the MFPs and printers with an outer network such as the Internet, only operate it in a network environment protected by a firewall, etc. to prevent information from being leaked due to incorrect settings or avoid illegal access by unauthorized users.

Exploits

We are not aware of any malicious exploitation by these vulnerabilities.

Credits
finder
We expresses its gratitude to Pierre Barre for reporting relevant security vulnerabilities for our products.
Timeline
EventDate
Fixes will be released2024-06-14 02:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.toshibatec.com/information/20240531_01.html
N/A
https://www.toshibatec.com/information/pdf/information20240531_01.pdf
N/A
https://jvn.jp/en/vu/JVNVU97136265/index.html
N/A
http://seclists.org/fulldisclosure/2024/Jul/1
N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.toshibatec.com/information/20240531_01.html
x_transferred
https://www.toshibatec.com/information/pdf/information20240531_01.pdf
x_transferred
https://jvn.jp/en/vu/JVNVU97136265/index.html
x_transferred
http://seclists.org/fulldisclosure/2024/Jul/1
x_transferred
Details not found