Refine your search
3 vulnerabilities found for flashair by toshiba
jvndb-2017-000091
Vulnerability from jvndb
Published
2017-05-16 15:46
Modified
2017-12-21 19:16
Severity ?
Summary
FlashAir do not set credential information in PhotoShare
Details
FlashAir by Toshiba Corporation is an SDHC memory card which provides wireless LAN access functions. FlashAir PhotoShare function enables to share the image data in a certain folder with other users as it switches the original wireless LAN connection set by FlashAir default to the wireless LAN connection for PhotoShare.
When enabling PhotoShare with a mobile application (either for Android or iOS), the application prompts a user to set credentials. But when enabling PhotoShare with web browsers, the wireless LAN connection for PhotoShare cannot be enabled, and default credentials are set to the other wireless network configured to the device. As a result, a remote attacker with access to the wireless LAN may obtain image data by using default credentials (CWE-284).
Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000091.html",
"dc:date": "2017-12-21T19:16+09:00",
"dcterms:issued": "2017-05-16T15:46+09:00",
"dcterms:modified": "2017-12-21T19:16+09:00",
"description": "FlashAir by Toshiba Corporation is an SDHC memory card which provides wireless LAN access functions. FlashAir PhotoShare function enables to share the image data in a certain folder with other users as it switches the original wireless LAN connection set by FlashAir default to the wireless LAN connection for PhotoShare.\r\n\r\nWhen enabling PhotoShare with a mobile application (either for Android or iOS), the application prompts a user to set credentials. But when enabling PhotoShare with web browsers, the wireless LAN connection for PhotoShare cannot be enabled, and default credentials are set to the other wireless network configured to the device. As a result, a remote attacker with access to the wireless LAN may obtain image data by using default credentials (CWE-284).\r\n\r\nTakayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000091.html",
"sec:cpe": {
"#text": "cpe:/a:toshiba:flashair",
"@product": "FlashAir",
"@vendor": "TOSHIBA",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "3.3",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000091",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN81820501/index.html",
"@id": "JVN#81820501",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2162",
"@id": "CVE-2017-2162",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2162",
"@id": "CVE-2017-2162",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "FlashAir do not set credential information in PhotoShare"
}
jvndb-2017-000090
Vulnerability from jvndb
Published
2017-05-16 15:34
Modified
2017-12-21 19:13
Severity ?
Summary
FlashAir fails to restrict access permissions in PhotoShare
Details
FlashAir by Toshiba Corporation is an SDHC memory card which provides wireless LAN access functions. FlashAir PhotoShare function enables to share the selected data with other users as it switches the original wireless LAN connection set by FlashAir default to the wireless LAN connection for PhotoShare.
FlashAir fails to restrict access permissions (CWE-425) in PhotoShare.
Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000090.html",
"dc:date": "2017-12-21T19:13+09:00",
"dcterms:issued": "2017-05-16T15:34+09:00",
"dcterms:modified": "2017-12-21T19:13+09:00",
"description": "FlashAir by Toshiba Corporation is an SDHC memory card which provides wireless LAN access functions. FlashAir PhotoShare function enables to share the selected data with other users as it switches the original wireless LAN connection set by FlashAir default to the wireless LAN connection for PhotoShare.\r\n\r\nFlashAir fails to restrict access permissions (CWE-425) in PhotoShare.\r\n\r\nTakayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000090.html",
"sec:cpe": {
"#text": "cpe:/a:toshiba:flashair",
"@product": "FlashAir",
"@vendor": "TOSHIBA",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.7",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000090",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN46372675/index.html",
"@id": "JVN#46372675",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2161",
"@id": "CVE-2017-2161",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2161",
"@id": "CVE-2017-2161",
"@source": "NVD"
},
{
"#text": "https://cwe.mitre.org/data/definitions/284.html",
"@id": "CWE-284",
"@title": "Improper Access Control(CWE-284)"
}
],
"title": "FlashAir fails to restrict access permissions in PhotoShare"
}
jvndb-2016-000168
Vulnerability from jvndb
Published
2016-10-12 10:03
Modified
2017-11-27 17:04
Severity ?
Summary
Toshiba FlashAir does not require authentication in "Internet pass-thru Mode"
Details
FlashAir by Toshiba Corporation is a SDHC memory card which provides "Internet pass-thru Mode", allowing devices to access the internet while connecting to FlashAir. When configured in "Internet pass-thru Mode", FlashAir acts both as a station and as an access point.
When "Internet pass-thru Mode" is enabled, FlashAir does not require authentication on accepting a connection from STA (station) side LAN.
Tsukada Nobuhisa of Seasoft reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000168.html",
"dc:date": "2017-11-27T17:04+09:00",
"dcterms:issued": "2016-10-12T10:03+09:00",
"dcterms:modified": "2017-11-27T17:04+09:00",
"description": "FlashAir by Toshiba Corporation is a SDHC memory card which provides \"Internet pass-thru Mode\", allowing devices to access the internet while connecting to FlashAir. When configured in \"Internet pass-thru Mode\", FlashAir acts both as a station and as an access point.\r\nWhen \"Internet pass-thru Mode\" is enabled, FlashAir does not require authentication on accepting a connection from STA (station) side LAN.\r\n\r\nTsukada Nobuhisa of Seasoft reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000168.html",
"sec:cpe": {
"#text": "cpe:/a:toshiba:flashair",
"@product": "FlashAir",
"@vendor": "TOSHIBA",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:A/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2016-000168",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN39619137/index.html",
"@id": "JVN#39619137",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4863",
"@id": "CVE-2016-4863",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-4863",
"@id": "CVE-2016-4863",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "Toshiba FlashAir does not require authentication in \"Internet pass-thru Mode\""
}