QSearchQSearch

CVE-2021-38154

7.5 HIGH

Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HT...

Published: 2021-08-29 · Last updated: 2026-06-17

Severity and scoring

CVSS
7.5 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
CWE-732

Affected products

VendorProduct
canon-

Description

Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-39368 Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter (6.1 MEDIUM)
  • CVE-2021-39367 Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection (5.3 MEDIUM)
  • CVE-2021-38085 The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue (7.8 HIGH)

Same CWE

  • CVE-2026-53856 OpenClaw before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly ... (5.5 MEDIUM)
  • CVE-2026-0271 A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to exec...
  • CVE-2026-50570 Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (8.5 HIGH)
  • CVE-2026-26422 clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation (8.4 HIGH)
  • CVE-2026-50590 In Mimecast Incydr before 2.6.0, arbitrary file access can occur (4.5 MEDIUM)