Thank you for using our products.

Several vulnerabilities have been identified in some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties.

Vulnerability details

Target Products: e-STUDIO 908/ 1058/ 1208 (Introduced in North American market only)

1. Some device web pages may cause device hang-up due to out-of-bounds memory reference:
   : CVE-2024-42420/ 43424/ 45829
2. Some device web pages may cause path traversal attacks
   : CVE-2024-45842
3. Some device web pages have APIs that have improper access control authority
   : CVE-2024-47005
4. Some device web pages have an alternate path for bypassing authentication mechanism
   : CVE-2024-47406
5. Some web pages may be able to execute HTTP header injection
   : CVE-2024-47549
6. Some web pages may cause cross-site scripting attacks
   : CVE-2024-47801/ 48870

Solution

Ask your service provider to update the main unit software.

Workaround

When connecting to the Internet, connect to a network protected by firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.