Response to vulnerability in the "Web Browser Configuration" function installed in some Toshiba Tec’s digital multi-function peripherals

March 6, 2024
Toshiba Tec Corporation

Thank you for using our products.

A vulnerability has been identified in the "Web Browser Configuration" function of some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties

Vulnerability details

Target Products
e-STUDIO 301DN/ 302DNF (These products have been sold only in the Chinese market.)
1.Vulnerability Reference
CVE-2024-21824  Session Management Vulnerability
An attacker could log into the server setting screen using the cookie values that they stole by eavesdropping communications or attacking the user's web browser.
2.Vulnerability Reference
CVE-2024-22475  Cross-site Request Forgery Vulnerability
If the user accesses a web page that an attacker set up and submits requests to the machine, the settings of the Web Based Management could be tampered.

Ask your service company to update the main unit software.
When connecting to the Internet, connect to a network protected through a firewall as described in the manual.