The company published a response to a vulnerability in the “Web Browser Configuration” function installed in some Toshiba Tec’s digital multi-function peripherals.
A vulnerability has been identified in the “Web Browser Configuration” function of some of Toshiba’s multi-function peripherals. The company confirmed that this issue does not result in the leakage of information from the product to outside parties.
Targeted products are e-STUDIO 301DN/ 302DNF devices. These products have been sold only in the Chinese market.
One of the vulnerabilities is CVE-2024-21824, a ‘Session Management Vulnerability’ whereby an attacker could log into the server setting screen using the cookie values that they stole by eavesdropping communications or attacking the user’s web browser.
Also identified was CVE-2024-22475, a ‘Cross-site Request Forgery Vulnerability’, which means if the user accesses a web page that an attacker set up and submits requests to the machine, the settings of the Web Based Management could be tampered with.
Toshiba is recommending firmware updates and offers the workaround that when connecting to the Internet, connect to a network protected through a firewall as described in the manual.
