CVE-2024-27141 - Vulnerability Details

Description

Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity (XXE) vulnerability. An attacker can DoS the printers by sending a HTTP request without authentication. An attacker can exploit the XXE to retrieve information. As for the affected products/models/versions, see the reference URL.

Published: 2024-06-14

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Toshiba Tec Corporation

Toshiba Tec e-Studio multi-function peripheral (MFP)

unaffected

Version	Status	Constraints
`see the reference URL`	affected	—

No data.

No data available yet.

Remediation

Vendor Solution

This issue is fixed in the version released on June 14, 2024 and all later versions.

Vendor Workaround

When connecting the MFPs and printers with an outer network such as the Internet, only operate it in a network environment protected by a firewall, etc. to prevent information from being leaked due to incorrect settings or avoid illegal access by unauthorized users.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-24382	Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity (XXE) vulnerability. An attacker can DoS the printers by sending a HTTP request without authentication. An attacker can exploit the XXE to retrieve information. As for the affected products/models/versions, see the reference URL.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00102.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Jul/1
https://jvn.jp/en/vu/JVNVU97136265/index.html
https://www.toshibatec.com/information/20240531_01.html
https://www.toshibatec.com/information/pdf/information20240531_01.pdf

History

Thu, 13 Feb 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Toshibatec Toshibatec e-studio-2010-ac Toshibatec e-studio-2015-nc Toshibatec e-studio-2020 Ac Toshibatec e-studio-2021 Ac Toshibatec e-studio-2110-ac Toshibatec e-studio-2510-ac Toshibatec e-studio-2515-nc Toshibatec e-studio-2520 Nc Toshibatec e-studio-2521 Ac Toshibatec e-studio-2525 Ac Toshibatec e-studio-2528-a Toshibatec e-studio-2610-ac Toshibatec e-studio-2615-nc Toshibatec e-studio-3015-nc Toshibatec e-studio-3025 Ac Toshibatec e-studio-3028-a Toshibatec e-studio-3115-nc Toshibatec e-studio-330-ac Toshibatec e-studio-3515-nc Toshibatec e-studio-3525 Ac Toshibatec e-studio-3525 Acg Toshibatec e-studio-3528-a Toshibatec e-studio-3528-ag Toshibatec e-studio-3615-nc Toshibatec e-studio-400-ac Toshibatec e-studio-4515 Ac Toshibatec e-studio-4525 Ac Toshibatec e-studio-4528-a Toshibatec e-studio-4528-ag Toshibatec e-studio-4615 Ac Toshibatec e-studio-5525 Ac Toshibatec e-studio-5525 Acg Toshibatec e-studio-5528-a Toshibatec e-studio-6525 Ac Toshibatec e-studio-6525 Acg Toshibatec e-studio-6526-ac Toshibatec e-studio-6527-ac Toshibatec e-studio-6528-a Toshibatec e-studio-6529-a Toshibatec e-studio-7527-ac Toshibatec e-studio-7529-a Toshibatec e-studio-9029-a
CPEs		cpe:2.3:h:toshibatec:e-studio-2010-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-2015-nc:-:::::::* cpe:2.3:h:toshibatec:e-studio-2020_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-2021_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-2110-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-2510-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-2515-nc:-:::::::* cpe:2.3:h:toshibatec:e-studio-2520_nc:-:::::::* cpe:2.3:h:toshibatec:e-studio-2521_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-2525_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-2528-a:-:::::::* cpe:2.3:h:toshibatec:e-studio-2610-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-2615-nc:-:::::::* cpe:2.3:h:toshibatec:e-studio-3015-nc:-:::::::* cpe:2.3:h:toshibatec:e-studio-3025_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-3028-a:-:::::::* cpe:2.3:h:toshibatec:e-studio-3115-nc:-:::::::* cpe:2.3:h:toshibatec:e-studio-330-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-3515-nc:-:::::::* cpe:2.3:h:toshibatec:e-studio-3525_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-3525_acg:-:::::::* cpe:2.3:h:toshibatec:e-studio-3528-a:-:::::::* cpe:2.3:h:toshibatec:e-studio-3528-ag:-:::::::* cpe:2.3:h:toshibatec:e-studio-3615-nc:-:::::::* cpe:2.3:h:toshibatec:e-studio-400-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-4515_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-4525_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-4528-a:-:::::::* cpe:2.3:h:toshibatec:e-studio-4528-ag:-:::::::* cpe:2.3:h:toshibatec:e-studio-4615_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-5525_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-5525_acg:-:::::::* cpe:2.3:h:toshibatec:e-studio-5528-a:-:::::::* cpe:2.3:h:toshibatec:e-studio-6525_ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-6525_acg:-:::::::* cpe:2.3:h:toshibatec:e-studio-6526-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-6527-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-6528-a:-:::::::* cpe:2.3:h:toshibatec:e-studio-6529-a:-:::::::* cpe:2.3:h:toshibatec:e-studio-7527-ac:-:::::::* cpe:2.3:h:toshibatec:e-studio-7529-a:-:::::::* cpe:2.3:h:toshibatec:e-studio-9029-a:-:::::::*
Vendors & Products		Toshibatec Toshibatec e-studio-2010-ac Toshibatec e-studio-2015-nc Toshibatec e-studio-2020 Ac Toshibatec e-studio-2021 Ac Toshibatec e-studio-2110-ac Toshibatec e-studio-2510-ac Toshibatec e-studio-2515-nc Toshibatec e-studio-2520 Nc Toshibatec e-studio-2521 Ac Toshibatec e-studio-2525 Ac Toshibatec e-studio-2528-a Toshibatec e-studio-2610-ac Toshibatec e-studio-2615-nc Toshibatec e-studio-3015-nc Toshibatec e-studio-3025 Ac Toshibatec e-studio-3028-a Toshibatec e-studio-3115-nc Toshibatec e-studio-330-ac Toshibatec e-studio-3515-nc Toshibatec e-studio-3525 Ac Toshibatec e-studio-3525 Acg Toshibatec e-studio-3528-a Toshibatec e-studio-3528-ag Toshibatec e-studio-3615-nc Toshibatec e-studio-400-ac Toshibatec e-studio-4515 Ac Toshibatec e-studio-4525 Ac Toshibatec e-studio-4528-a Toshibatec e-studio-4528-ag Toshibatec e-studio-4615 Ac Toshibatec e-studio-5525 Ac Toshibatec e-studio-5525 Acg Toshibatec e-studio-5528-a Toshibatec e-studio-6525 Ac Toshibatec e-studio-6525 Acg Toshibatec e-studio-6526-ac Toshibatec e-studio-6527-ac Toshibatec e-studio-6528-a Toshibatec e-studio-6529-a Toshibatec e-studio-7527-ac Toshibatec e-studio-7529-a Toshibatec e-studio-9029-a
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Toshibatec E-studio-2010-ac E-studio-2015-nc E-studio-2020 Ac E-studio-2021 Ac E-studio-2110-ac E-studio-2510-ac E-studio-2515-nc E-studio-2520 Nc E-studio-2521 Ac E-studio-2525 Ac E-studio-2528-a E-studio-2610-ac E-studio-2615-nc E-studio-3015-nc E-studio-3025 Ac E-studio-3028-a E-studio-3115-nc E-studio-330-ac E-studio-3515-nc E-studio-3525 Ac E-studio-3525 Acg E-studio-3528-a E-studio-3528-ag E-studio-3615-nc E-studio-400-ac E-studio-4515 Ac E-studio-4525 Ac E-studio-4528-a E-studio-4528-ag E-studio-4615 Ac E-studio-5525 Ac E-studio-5525 Acg E-studio-5528-a E-studio-6525 Ac E-studio-6525 Acg E-studio-6526-ac E-studio-6527-ac E-studio-6528-a E-studio-6529-a E-studio-7527-ac E-studio-7529-a E-studio-9029-a

MITRE

Status: PUBLISHED

Assigner: Toshiba

Published: 2024-06-14T02:21:24.696Z

Updated: 2025-02-13T17:41:20.670Z

Reserved: 2024-02-21T02:11:53.249Z

Link: CVE-2024-27141

Vulnrichment

Updated: 2024-08-02T00:27:59.773Z

NVD

Status : Awaiting Analysis

Published: 2024-06-14T03:15:09.700

Modified: 2024-11-21T09:03:56.060

Link: CVE-2024-27141

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-776

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object