CVE-2024-33605
published 2024-11-26CVE-2024-33605: Improper processing of some parameters of installed_emanual_list.html leads to a path traversal vulnerability. As for the details of affected product names…
PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.23%
92.7th percentile
Improper processing of some parameters of installed_emanual_list.html leads to a path traversal vulnerability. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sharp_corporation | multiple_mfps | — | — |
| toshiba_tec_corporation | multiple_mfps | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to /installed_emanual_list.html; response body contains both 'ServiceEmanualList' and '/installed_emanual_down.html', response header contains 'Set-Cookie: MFPSESSIONID=', and HTTP status is 200 — confirms vulnerable Sharp MFP directory listing endpoint. ↗
- →Shodan fingerprinting for exposed Sharp MFP devices can be performed using the query 'Set-Cookie: MFPSESSIONID=' to identify internet-facing targets. ↗
- →The vulnerability is triggered via improper parameter processing in installed_emanual_list.html, enabling path traversal / arbitrary directory listing without authentication on Sharp multifunction printers. ↗
- ·Affected product scope is broad; specific model numbers and firmware versions must be confirmed via vendor advisories rather than a single CPE entry. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Sharp Multifunction Printers - Directory Listing
nuclei·CVSS 7.5
CVE-2024-33605 [HIGH] Sharp Multifunction Printers - Directory Listing
Sharp Multifunction Printers - Directory Listing
It was observed that Sharp printers are vulnerable to an arbitrary directory listing without authentication. Any attacker can list any directory located in the printer and recover any file.
Template:
id: CVE-2024-33605
info:
name: Sharp Multifunction Printers - Directory Listing
author: gy741
severity: high
description: |
It was observed that Sharp printers are vulnerable to an arbitrary directory listing without authentication. Any attacker can list any directory located in the printer and recover any file.
impact: |
Unauthenticated attackers can list arbitrary directories and recover files from Sharp multifunction printers.
remediation: |
Apply all relevant security patches and product upgrades for Sharp multifunction printers.
referen
No writeups or analysis indexed.
https://global.sharp/products/copier/info/info_security_2024-05.htmlhttps://jp.sharp/business/print/information/info_security_2024-05.htmlhttps://jvn.jp/en/vu/JVNVU93051062/https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.htmlhttps://www.toshibatec.co.jp/information/20240531_02.htmlhttps://www.toshibatec.com/information/20240531_02.htmlhttp://seclists.org/fulldisclosure/2024/Jul/0
2024-11-26
Published