CVSS: 6.8EPSS: 0%CPEs: 690EXPL: 1CVE-2024-51984 – Authenticated disclosure of external service passwords via pass-back attack affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51984
25 Jun 2025 — An authenticated attacker can reconfigure the target device to use an external service (such as LDAP or FTP) controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled device using the existing credentials for that external service. In the case of an external LDAP or FTP service, this will disclose the plaintext password for that external service to the attacker. • https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 666EXPL: 1CVE-2024-51983 – Unauthenticated Denial of Service (DoS) via malformed WS-Scan request affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51983
25 Jun 2025 — An unauthenticated attacker who can connect to the Web Services feature (HTTP TCP port 80) can issue a WS-Scan SOAP request containing an unexpected JobToken value which will crash the target device. The device will reboot, after which the attacker can reissue the command to repeatedly crash the device. • https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 5.3EPSS: 0%CPEs: 707EXPL: 1CVE-2024-51981 – Unauthenticated Server Side Request Forgery (SSRF) via WS-Eventing affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, and Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51981
25 Jun 2025 — An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The attacker can control all the HTTP data sent in the SSRF connection, but the attacker can not receive any data back from this connection. • https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 713EXPL: 1CVE-2024-51980 – Unauthenticated Server Side Request Forgery (SSRF) via WS-Addressing affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51980
25 Jun 2025 — An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port 80) SOAP request. The attacker can not control the data sent in the SSRF connection, nor can the attacker receive any data back. This SSRF is suitable for TCP port scanning of an internal network when the Web service (HTTP TCP port 8... • https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 2%CPEs: 695EXPL: 2CVE-2024-51978 – Authentication bypass via default password generation affecting multiple models from Brother Industries, Ltd, Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51978
25 Jun 2025 — An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request. • https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf • CWE-1391: Use of Weak Credentials •
CVSS: 5.3EPSS: 1%CPEs: 463EXPL: 1CVE-2024-51977 – Unauthenticated leak of sensitive information affecting multiple models from Brother Industries, Ltd., FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.
https://notcve.org/view.php?id=CVE-2024-51977
25 Jun 2025 — An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mnt_info.csv can be accessed via a GET request and no authentication is required. The returned result is a comma separated value (CSV) table of information. The leaked information includes the device’s model, firmware version, IP address, and serial number. • https://github.com/sfewer-r7/BrotherVulnerabilities • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 7.8EPSS: 0%CPEs: 434EXPL: 0CVE-2023-29984
https://notcve.org/view.php?id=CVE-2023-29984
11 Jul 2023 — Null pointer dereference vulnerability exists in multiple vendors MFPs and printers which implement Debut web server 1.2 or 1.3. Processing a specially crafted request may lead an affected product to a denial-of-service (DoS) condition. As for the affected products/models/versions, see the detailed information provided by each vendor. • https://jvn.jp/en/vu/JVNVU93767756/index.html • CWE-476: NULL Pointer Dereference •
CVSS: 10.0EPSS: 3%CPEs: 610EXPL: 1CVE-2019-13192
https://notcve.org/view.php?id=CVE-2019-13192
13 Mar 2020 — Some Brother printers (such as the HL-L8360CDW v1.20) were affected by a heap buffer overflow vulnerability as the IPP service did not parse attribute names properly. This would allow an attacker to execute arbitrary code on the device. Algunas impresoras Brother (tal y como la HL-L8360CDW versión v1.20), fueron afectadas por una vulnerabilidad de desbordamiento del búfer de la pila ya que el servicio IPP no analizó los nombres de los atributos apropiadamente. Esto permitiría a un atacante ejecutar código a... • https://global.brother • CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 2%CPEs: 610EXPL: 1CVE-2019-13193
https://notcve.org/view.php?id=CVE-2019-13193
13 Mar 2020 — Some Brother printers (such as the HL-L8360CDW v1.20) were affected by a stack buffer overflow vulnerability as the web server did not parse the cookie value properly. This would allow an attacker to execute arbitrary code on the device. Algunas impresoras Brother (tal y como la HL-L8360CDW versión v1.20), fueron afectadas por una vulnerabilidad de desbordamiento del búfer de la pila, ya que el servidor web no analizó el valor de la cookie apropiadamente. Esto permitiría a un atacante ejecutar código arbitr... • https://global.brother • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 610EXPL: 1CVE-2019-13194
https://notcve.org/view.php?id=CVE-2019-13194
13 Mar 2020 — Some Brother printers (such as the HL-L8360CDW v1.20) were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user who visits a specific URL. Algunas impresoras Brother (tal y como la HL-L8360CDW versión v1.20), fueron afectadas por diferentes vulnerabilidades de divulgación de información que suministraban información confidencial a un usuario no autenticado que visitaba una URL específica. • https://global.brother • CWE-306: Missing Authentication for Critical Function •