CVE-2024-23785 - OpenCVE

Cross-site request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a remote unauthenticated attacker to change the product settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sharp	Jh-rv11 Jh-rv11 Firmware Jh-rvb1 Jh-rvb1 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:sharp:jh-rvb1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sharp:jh-rvb1:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:sharp:jh-rv11_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sharp:jh-rv11:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://jp.sharp/support/taiyo/info/JVNVU94591337_en.pdf
https://jp.sharp/support/taiyo/info/JVNVU94591337_jp.pdf
https://jvn.jp/en/vu/JVNVU94591337/

History

Thu, 17 Oct 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sharp Sharp jh-rv11 Sharp jh-rv11 Firmware Sharp jh-rvb1 Sharp jh-rvb1 Firmware
Weaknesses		CWE-352
CPEs		cpe:2.3:h:sharp:jh-rv11:::::::: cpe:2.3:h:sharp:jh-rvb1:::::::: cpe:2.3:o:sharp:jh-rv11_firmware:::::::: cpe:2.3:o:sharp:jh-rvb1_firmware::::::::
Vendors & Products		Sharp Sharp jh-rv11 Sharp jh-rv11 Firmware Sharp jh-rvb1 Sharp jh-rvb1 Firmware
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2024-02-14T10:07:11.603Z

Updated: 2024-08-14T18:09:03.192Z

Reserved: 2024-01-22T09:56:37.454Z

Link: CVE-2024-23785

Vulnrichment

Updated: 2024-08-01T23:13:07.336Z

NVD

Status : Analyzed

Published: 2024-02-14T10:15:08.663

Modified: 2024-10-17T15:15:27.240

Link: CVE-2024-23785

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23785", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2024-01-22T09:56:37.454Z", "datePublished": "2024-02-14T10:07:11.603Z", "dateUpdated": "2024-08-14T18:09:03.192Z"}, "containers": {"cna": {"affected": [{"vendor": "SHARP CORPORATION", "product": "Energy Management Controller with Cloud Services", "versions": [{"version": "JH-RVB1 Ver.B0.1.9.1 and earlier", "status": "affected"}]}, {"vendor": "SHARP CORPORATION", "product": "Energy Management Controller with Cloud Services", "versions": [{"version": "JH-RV11 Ver.B0.1.9.1 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a remote unauthenticated attacker to change the product settings."}], "problemTypes": [{"descriptions": [{"description": "Cross-site request forgery (CSRF)", "lang": "en", "type": "text"}]}], "references": [{"url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_en.pdf"}, {"url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_jp.pdf"}, {"url": "https://jvn.jp/en/vu/JVNVU94591337/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-02-14T10:07:11.603Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:07.336Z"}, "title": "CVE Program Container", "references": [{"url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_en.pdf", "tags": ["x_transferred"]}, {"url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_jp.pdf", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/vu/JVNVU94591337/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-14T18:08:52.223299Z", "id": "CVE-2024-23785", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-14T18:09:03.192Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_en.pdf", "tags": ["x_transferred"]}, {"url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_jp.pdf", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/vu/JVNVU94591337/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:07.336Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23785", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-14T18:08:52.223299Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-14T18:08:59.589Z"}}], "cna": {"affected": [{"vendor": "SHARP CORPORATION", "product": "Energy Management Controller with Cloud Services", "versions": [{"status": "affected", "version": "JH-RVB1 Ver.B0.1.9.1 and earlier"}]}, {"vendor": "SHARP CORPORATION", "product": "Energy Management Controller with Cloud Services", "versions": [{"status": "affected", "version": "JH-RV11 Ver.B0.1.9.1 and earlier"}]}], "references": [{"url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_en.pdf"}, {"url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_jp.pdf"}, {"url": "https://jvn.jp/en/vu/JVNVU94591337/"}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a remote unauthenticated attacker to change the product settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Cross-site request forgery (CSRF)"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-02-14T10:07:11.603Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23785", "state": "PUBLISHED", "dateUpdated": "2024-08-14T18:09:03.192Z", "dateReserved": "2024-01-22T09:56:37.454Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2024-02-14T10:07:11.603Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sharp:jh-rvb1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7EC16DF-21FB-473F-8F62-DDBF1C149A9B", "versionEndIncluding": "b0.1.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sharp:jh-rvb1:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE2814EB-D067-4920-A450-4F90431EA461", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sharp:jh-rv11_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0A2340C-A0BC-4DD5-A120-F7041D76D776", "versionEndIncluding": "b0.1.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sharp:jh-rv11:*:*:*:*:*:*:*:*", "matchCriteriaId": "C13F6906-8ED6-40DE-8B18-260B7765C4A9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a remote unauthenticated attacker to change the product settings."}, {"lang": "es", "value": "Vulnerabilidad de cross-site request forgery en Energy Management Controller con servicios en la nube JH-RVB1 /JH-RV11 Ver.B0.1.9.1 y anteriores permite que un atacante remoto no autenticado cambie la configuraci\u00f3n del producto."}], "id": "CVE-2024-23785", "lastModified": "2024-10-17T15:15:27.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-14T10:15:08.663", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_en.pdf"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://jp.sharp/support/taiyo/info/JVNVU94591337_jp.pdf"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/vu/JVNVU94591337/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}