CVE-2024-27162

DOM-based XSS

Description

Toshiba printers provide a web interface that will load the JavaScript file. The file contains insecure codes vulnerable to XSS and is loaded inside all the webpages provided by the printer. An attacker can steal the cookie of an admin user. As for the affected products/models/versions, see the reference URL.

Remediation

Solution:

  • This issue is fixed in the version released on June 14, 2024 and all later versions.

Workaround:

  • When connecting the MFPs and printers with an outer network such as the Internet, only operate it in a network environment protected by a firewall, etc. to prevent information from being leaked due to incorrect settings or avoid illegal access by unauthorized users.

Category

6.1
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 1.55% Top 20%
Affected: Toshiba Tec Corporation Toshiba Tec e-Studio multi-function peripheral (MFP)
Published at:
Updated at:

References

Link Tags
https://www.toshibatec.com/information/20240531_01.html
https://www.toshibatec.com/information/pdf/information20240531_01.pdf
https://jvn.jp/en/vu/JVNVU97136265/index.html
http://seclists.org/fulldisclosure/2024/Jul/1

Frequently Asked Questions

What is the severity of CVE-2024-27162?
CVE-2024-27162 has been scored as a medium severity vulnerability.
How to fix CVE-2024-27162?
To fix CVE-2024-27162: This issue is fixed in the version released on June 14, 2024 and all later versions.
Is CVE-2024-27162 being actively exploited in the wild?
It is possible that CVE-2024-27162 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-27162?
CVE-2024-27162 affects Toshiba Tec Corporation Toshiba Tec e-Studio multi-function peripheral (MFP).
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.