3.3 Low
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
36.9%
FlashAir by Toshiba Corporation is a SDHC memory card which provides “Internet pass-thru Mode”, allowing devices to access the internet while connecting to FlashAir. When configured in “Internet pass-thru Mode”, FlashAir acts both as a station and as an access point.
When “Internet pass-thru Mode” is enabled, FlashAir does not require authentication on accepting a connection from STA (station) side LAN.
A remote unauthenticated attacker with access to STA side LAN can obtain files or data saved in the vulnerable product.
In addition, when FlashAir III / FlashAir W-03 series is configured to access/upload files or data by WebDAV without authentication, the files and data saved in the vulnerable product can be altered or an arbitrary Lua script can be executed.
Change default settings in the configuration
Before enabling “Internet pass thru Mode”, change the default settings to require authentication to the FlashAir web server.
In FlashAir API, followings are provided. Refer to the respective instructions for more information.
Japan
3.3 Low
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
36.9%