Security Bulletins
14/06/2024
Target Products: ES9466MFP/ES9476MFP
With some APIs (Application Program Interfaces), it is possible to send HTTP requests to multifunction devices without authentication, which can cause the device to stop operating (DoS).
Vulnerability identification number: CVE-2024-27141, CVE-2024-27142
Because some programs run with root privileges, if the programs are hijacked through certain means, arbitrary code can be executed on the multifunction device.
Vulnerability identification number: CVE-2024-27143, CVE-2024-27146, CVE-2024-27147
Due to inappropriate permission settings for some programs, if root privileges are hijacked through certain means, arbitrary code can be executed on the multifunction device.
Vulnerability identification number: CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171
With the web management program (TopAccess), it is possible to place any file in the multifunction device.
Vulnerability identification number: CVE-2024-27144, CVE-2024-7145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-Vulnerability identification number: 2024-27177, CVE-2024-27178
Because some authentication information is written to the log file, by spoofing external communications, the information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27154, CVE-2024-27156, CVE-2024-27157
Because some information is stored unencrypted, it can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27166
Because important information is included in the debugging log file, the information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27179
Since common authentication information is included in the access between the internal programs of the multifunction device, information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27158
Because some of the authentication information between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170
Because part of the authentication password between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27164
There is a cross-site scripting vulnerability in the web management program (TopAccess), which allows information to be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27162
Because some of the communication between the internal programs of the multifunction device is not encrypted, information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27163
A vulnerable code set is used in part of the internal program code of the multifunction device, and information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27165
Because there is a way to access some APIs of the internal programs of multifunction devices without authorization, information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27169
There is a way to access some APIs of the internal programs of multifunction devices without authorization, so arbitrary code can be executed on the multifunction device.
Vulnerability identification number: CVE-2024-27172
Some APIs in the internal programs of multifunction devices do not check the input of file names, so any file can be placed in the multifunction device.
Vulnerability identification number: CVE-2024-27175
The encryption key used to install an application on the multifunction device becomes temporarily replaceable, allowing the information inside the multifunction device to be tampered with.
Vulnerability identification number: CVE-2024-27180
When the user authentication function is disabled, it is possible to bypass the administrator authentication process for the web page for accessing the multifunction device's system information and uploading drivers.
Vulnerability identification number: CVE-2024-3496
If a multifunction device has a directory traversal vulnerability and user authentication is disabled, files on the multifunction device can be overwritten or new files can be placed.
Vulnerability identification number: CVE-2024-3497
If user authentication is disabled, a malicious file can be executed by enabling the service from the MFP's web interface, elevating its privileges to root.
Vulnerability identification number: CVE-2024-3498
Solution: Ask your service company to update the main unit software.
Workaround: When connecting to the Internet, connect to a network protected through a firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.
©1995-2025 Oki Europe Ltd.