Details of VAR-201404-0194

ID

VAR-201404-0194

CVE

CVE-2014-1990

TITLE

TOSHIBA TEC e-Studio series vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2014-000038

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in TopAccess (aka the web-based management utility) on TOSHIBA TEC e-Studio 232, 233, 282, and 283 devices allows remote attackers to hijack the authentication of administrators for requests that change passwords. e-Studio provided by TOSHIBA TEC CORPORATION is a multi-function peripheral (MFP). As a result, a remote attacker may obtain the document assets such as scan data. TOSHIBA e-Studio is prone to a cross-site request-forgery vulnerability. Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers. TOSHIBA TEC e-Studio 232, 233, 282 and 283 are all printing and copying all-in-one products of Japan's Toshiba (TOSHIBA). TopAccess (also known as Web-based management tool) is the network management software used in these products

Trust: 1.98

sources: NVD: CVE-2014-1990 // JVNDB: JVNDB-2014-000038 // BID: 63713 // VULHUB: VHN-69929

AFFECTED PRODUCTS

vendor:	toshibatec	model:	e-studio-233	scope:	eq	version:	-	Trust: 1.6
vendor:	toshibatec	model:	e-studio-232	scope:	eq	version:	-	Trust: 1.6
vendor:	toshibatec	model:	e-studio-283	scope:	eq	version:	-	Trust: 1.6
vendor:	toshibatec	model:	e-studio-282	scope:	eq	version:	-	Trust: 1.6
vendor:	toshiba tec	model:	e-studio 232	scope:	-	version:	-	Trust: 0.8
vendor:	toshiba tec	model:	e-studio 233	scope:	-	version:	-	Trust: 0.8
vendor:	toshiba tec	model:	e-studio 282	scope:	-	version:	-	Trust: 0.8
vendor:	toshiba tec	model:	e-studio 283	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2014-000038 // CNNVD: CNNVD-201404-392 // NVD: CVE-2014-1990

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1990
value:	MEDIUM
Trust: 1.0
IPA:	JVNDB-2014-000038
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201404-392
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-69929
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-1990
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
IPA:	JVNDB-2014-000038
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-69929
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-69929 // JVNDB: JVNDB-2014-000038 // CNNVD: CNNVD-201404-392 // NVD: CVE-2014-1990

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-69929 // JVNDB: JVNDB-2014-000038 // NVD: CVE-2014-1990

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-392

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201404-392

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-000038

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-69929

PATCH

title:

TOSHIBA TEC CORPORATION website

url:

http://www.toshibatec.co.jp/page.jsp?id=4224

Trust: 0.8

sources: JVNDB: JVNDB-2014-000038

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1990	Trust: 2.8
db:	JVN	id:	JVN13313061	Trust: 2.5
db:	JVNDB	id:	JVNDB-2014-000038	Trust: 2.5
db:	CNNVD	id:	CNNVD-201404-392	Trust: 0.7
db:	JVN	id:	JVN#13313061	Trust: 0.6
db:	BID	id:	63713	Trust: 0.4
db:	EXPLOIT-DB	id:	29570	Trust: 0.1
db:	SEEBUG	id:	SSVID-83062	Trust: 0.1
db:	VULHUB	id:	VHN-69929	Trust: 0.1

sources: VULHUB: VHN-69929 // BID: 63713 // JVNDB: JVNDB-2014-000038 // CNNVD: CNNVD-201404-392 // NVD: CVE-2014-1990

REFERENCES

url:	http://jvn.jp/en/jp/jvn13313061/index.html	Trust: 2.5
url:	http://www.toshibatec.co.jp/page.jsp?id=4224	Trust: 1.7
url:	http://jvndb.jvn.jp/jvndb/jvndb-2014-000038	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1990	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1990	Trust: 0.8

sources: VULHUB: VHN-69929 // JVNDB: JVNDB-2014-000038 // CNNVD: CNNVD-201404-392 // NVD: CVE-2014-1990

CREDITS

Hubert Gradek

Trust: 0.3

sources: BID: 63713

SOURCES

db:	VULHUB	id:	VHN-69929
db:	BID	id:	63713
db:	JVNDB	id:	JVNDB-2014-000038
db:	CNNVD	id:	CNNVD-201404-392
db:	NVD	id:	CVE-2014-1990

LAST UPDATE DATE

2025-04-13T23:39:11.258000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-69929	date:	2014-04-21T00:00:00
db:	BID	id:	63713	date:	2014-04-22T14:58:00
db:	JVNDB	id:	JVNDB-2014-000038	date:	2014-04-28T00:00:00
db:	CNNVD	id:	CNNVD-201404-392	date:	2014-04-23T00:00:00
db:	NVD	id:	CVE-2014-1990	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-69929	date:	2014-04-19T00:00:00
db:	BID	id:	63713	date:	2013-10-02T00:00:00
db:	JVNDB	id:	JVNDB-2014-000038	date:	2014-04-18T00:00:00
db:	CNNVD	id:	CNNVD-201404-392	date:	2014-04-23T00:00:00
db:	NVD	id:	CVE-2014-1990	date:	2014-04-19T19:55:07.717