This issue affects all versions of the camera, including the original T100, T100s, T100 X, T100 XR, T300, T300 X, T500, T500 X, T700, T700 X, T700 XR, T700 XS and T850.
Fuji Electric D300win prior to version 3.7.1.17 is also affected by a hardcoded password issue in the web interface. An attacker can access the web interface with a hardcoded password as ‘admin’, which allows the attacker to view, change and delete any information on the camera.
These issues do not allow an attacker to control the camera. However, they could be used to obtain information on the camera that an authorized user has access to, for example, the memory card information. An attacker could also use these issues to access the web interface without the need for a hardcoded password, which could have more serious consequences.
These issues have been fixed in version 3.7.1.17 of the software.
CVE-2018-5276
This issue affects all versions of the camera, including the original T100, T100s, T100 X, T100 XR, T300, T300 X, T500, T500 X, T700, T700 X and T850.
The web interface for the affected cameras does not verify the integrity of received data from third-party servers in certain cases. This could allow an attacker to send crafted HTTP requests that cause a buffer overflow in the camera's web interface. An attacker can exploit this vulnerability to gain control of a camera or cause a denial-of-service condition.
CVE-2021-1522
This issue affects all versions of the camera, including the original T100, T100s, T100 X, T100 XR, T300, T300 X, T500, T500 X, T700, T700 X, and T850.
An attacker with physical access to the camera can use a hardcoded password as ‘admin’ to perform actions that are restricted to authorized users such as accessing the content on the memory card or changing the configuration settings.
These issues have been fixed in version 3.7.1.17 of the software.
Timeline
Published on: 10/19/2022 18:15:00 UTC
Last modified on: 10/21/2022 16:40:00 UTC