CVE-2024-47947 – Stored cross site scripting
https://notcve.org/view.php?id=CVE-2024-47947
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-28142 – Stored cross site scripting
https://notcve.org/view.php?id=CVE-2024-28142
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the "file name" and wildcard character input field. By exploiting the wildcard character feature, attackers are able to store arbitrary Javascript code which is being triggered if the page is viewed afterwards, e.g. by higher privileged users such as admins. This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-28141 – Cross-Site Request-Forgery
https://notcve.org/view.php?id=CVE-2024-28141
The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious links to reset the admin password or create new users. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-28140 – Violation of Least Privilege Principle
https://notcve.org/view.php?id=CVE-2024-28140
The scanner device boots into a kiosk mode by default and opens the Scan2Net interface in a browser window. This browser is run with the permissions of the root user. There are also several other applications running as root user. This can be confirmed by running "ps aux" as the root user and observing the output. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-250: Execution with Unnecessary Privileges •
CVE-2024-47946 – OS Command Execution through Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-47946
If the attacker has access to a valid Poweruser session, remote code execution is possible because specially crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP code executes once the uploaded file is accessed. This allows the execution of arbitrary PHP code and OS commands on the device as "www-data". • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-434: Unrestricted Upload of File with Dangerous Type •