Response to vulnerabilities in
Toshiba Tec's digital multi-function peripherals

October 25, 2024
Toshiba Tec Corporation

Thank you for using our products.

Several vulnerabilities have been identified in some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties.

Vulnerability details

Target Products: e-STUDIO 908/ 1058/ 1208 (Introduced in North American market only)

  1. Some device web pages may cause device hang-up due to out-of-bounds memory reference:
    : CVE-2024-42420/ 43424/ 45829
  2. Some device web pages may cause path traversal attacks
    : CVE-2024-45842
  3. Some device web pages have APIs that have improper access control authority
    : CVE-2024-47005
  4. Some device web pages have an alternate path for bypassing authentication mechanism
    : CVE-2024-47406
  5. Some web pages may be able to execute HTTP header injection
    : CVE-2024-47549
  6. Some web pages may cause cross-site scripting attacks
    : CVE-2024-47801/ 48870
Solution
Ask your service provider to update the main unit software.
Workaround
When connecting to the Internet, connect to a network protected by firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.