Response to vulnerabilities in
Toshiba Tec's digital multi-function peripherals
October 25, 2024
Toshiba Tec Corporation
Thank you for using our products.
Several vulnerabilities have been identified in some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties.
Vulnerability details
Target Products: e-STUDIO 908/ 1058/ 1208 (Introduced in North American market only)
- Some device web pages may cause device hang-up due to out-of-bounds memory reference:
: CVE-2024-42420/ 43424/ 45829 - Some device web pages may cause path traversal attacks
: CVE-2024-45842 - Some device web pages have APIs that have improper access control authority
: CVE-2024-47005 - Some device web pages have an alternate path for bypassing authentication mechanism
: CVE-2024-47406 - Some web pages may be able to execute HTTP header injection
: CVE-2024-47549 - Some web pages may cause cross-site scripting attacks
: CVE-2024-47801/ 48870
- Solution
- Ask your service provider to update the main unit software.
- Workaround
- When connecting to the Internet, connect to a network protected by firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.