Skip to main content

Security related information: Security vulnerabilities in our products

A security vulnerability has been identified in TA Triumph-Adler’s MFPs and printers. The following is an overview of the issue and how to resolve it. As of the date of publication of this notice, we have not confirmed any attacks that take advantage of this vulnerability.

1.   Vulnerability description

Three vulnerabilities have been identified.
Vulnerability number:JVN#46345126
  1. Session Management Defects in Command Center Vulnerability (CVE-2022-41798)
    A vulnerability that allows users to login without login authentication by forged cookies in an environment where the product is accessible through Command Center.
  2. Inadequate Authentication of Command Center (CVE-2022-41807)
    In an usage environment where the product is accessible via Command Center, if a client (a malicious attacker's personal computer) issues a request to a server (the product) to change device settings using the Common Gateway Interface (CGI), configuration changes can be made without logging in to Command Center.
  3. Cross-site scripting vulnerability in Command Center (CVE-2022-41830)
    In an usage environment where the product is accessible via Command Center, a vulnerability could allow an attacker to embed malicious JavaScript in a certificate by exploiting the ability to register, configure, and reference SSL/TLS certificates in the Command Center security settings. Therefore, when the equipment administrator logs in to the Command Center and references the SSL/TLS certificate, JavaScript is executed and the equipment administrator can be victimized.

2.   Countermeasures

TA Triumph-Adler is providing firmware that addresses the security vulnerability. This vulnerability is not expected to have any impact unless it is introduced into the customer's network from the outside. Firewalls and other security measures are recommended.

3.   Impact on our products

Below you will find an overview of TA Triumph-Adler products that are NOT affected by the security vulnerabilities.
Firmware updates are already available for the products listed below that are affected by the vulnerabilities:

Product

TA DCC 6526
TA DCC 6626
TA DCC 6526L
TA DCC 2626
TA DCC 2726 
TA CLP 4721
TA CLP 4726
TA 1855
TA 2256

We will publish further firmware updates here on an ongoing basis.


Status: November 15th, 2022