Response to vulnerability in the "Web Browser Configuration" function installed in some Toshiba Tec’s digital multi-function peripherals
March 6, 2024
Toshiba Tec Corporation
Thank you for using our products.
A vulnerability has been identified in the "Web Browser Configuration" function of some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties
Vulnerability details
- Target Products
- e-STUDIO 301DN/ 302DNF (These products have been sold only in the Chinese market.)
- 1.Vulnerability Reference
- CVE-2024-21824 Session Management Vulnerability
- Details
- An attacker could log into the server setting screen using the cookie values that they stole by eavesdropping communications or attacking the user's web browser.
- 2.Vulnerability Reference
- CVE-2024-22475 Cross-site Request Forgery Vulnerability
- Details:
- If the user accesses a web page that an attacker set up and submits requests to the machine, the settings of the Web Based Management could be tampered.
- Solution
- Ask your service company to update the main unit software.
- Workaround
- When connecting to the Internet, connect to a network protected through a firewall as described in the manual.