Toshiba Tec Reports on Several e-STUDIO MFP Security Vulnerabilities

On October 25th, Toshiba Tec Corporation of Japan warned that several of its e-STUDIO MFP models have several potential security vulnerabilities. However, it said that the vulnerabilities don’t result in the leakage of information from the product to outside parties.

According to the firm, the e-STUDIO 908/ 1058/1208 MFPs (North American market only) may have these vulnerabilities:

1. Some device Web pages may cause device hang-up due to out-of-bounds memory reference: CVE-2024-42420/ 43424/ 45829
2. Some device Web pages may cause path traversal attacks: CVE-2024-45842
3. Some device Web pages have APIs that have improper access control authority: CVE-2024-47005
4. Some device Web pages have an alternate path for bypassing authentication mechanism: CVE-2024-47406
5. Some Web pages may be able to execute HTTP header injection: CVE-2024-47549
6. Some Web pages may cause cross-site scripting attacks: CVE-2024-47801/ 48870

Toshiba recommends that customers ask their service provider to update the main unit software. It also recommends that when connecting to the Internet, connect to a network protected by firewall as described in the user manual. Customers should also enable user authentication function and manage passwords appropriately.