JVNDB-2024-000027

FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery

Multiple printers provided by FUJIFILM Business Innovation Corp. contain a cross-site request forgery vulnerability (CWE-352).

Junnosuke Kushibiki, Ryu Kuki, Masataka Mizokuchi, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

As for the details of affected product names, model numbers, and versions, refer to the information provided by the vendor listed below.

• FUJIFILM Business Inovation Corp.

FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)

• (multiple product)

If a user views a malicious page while logging in, the user information may be altered. In the case the user is an administrator, the settings such as the administrator's ID, password, etc. may be altered.

[Apply workarounds]
The developer states that there are some obsolite models where CSRF prevention function is not implemented.
For those models, applying the following workaround may mitigate the impact of this vulnerability.

* Disable Web UI communication function in the product's settings

FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)

• FUJIFILM Business Innovation Corp. : Notification on the vulnerabilities for Web Based Management embedded in FUJIFLM printers

1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]

1. CVE-2024-27974

1. JVN : JVN#34328023

• [2024/03/06]
    Web page was published