Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27520: Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config

Cross-site request forgery (CSRF) vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote unauthenticated attacker to hijack the authentication and perform unintended operations by having a logged-in user view a malicious page. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to SEIKO EPSON CORPORATION, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor.

CVE
Open in Source
#xss#csrf#vulnerability#web#auth

Published:2023/03/08 Last Updated:2023/03/08

Overview

SEIKO EPSON printers/network interface Web Config contains multiple vulnerabilities.

Products Affected

  • Web Config

Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to the developer, it is also called as Remote Manager in some products.

Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the developer.

Description

Web Config for printers/network interface provided by SEIKO EPSON CORPORATION contains multiple vulnerabilities listed below.

  • Stored cross-site Scripting (CWE-79) - CVE-2023-27520

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

    Base Score: 4.8

    CVSS v2

    AV:N/AC:M/Au:S/C:N/I:P/A:N

    Base Score: 3.5

  • Cross-Site Request Forgery (CWE-352) - CVE-2023-23572

    CVSS v3

    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    Base Score: 4.3

    CVSS v2

    AV:N/AC:H/Au:N/C:N/I:P/A:N

    Base Score: 2.6

Impact

  • An arbitrary script may be executed on the web browser of the user who is accessing the settings page of the product - CVE-2023-27520
  • If a user views a malicious page while logged in to the settings page of the product, unintended operations may be performed - CVE-2023-23572

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer states that the respective updates are scheduled to be released in April 2023.

Apply workarounds
The developer strongly recommends users to apply workarounds before the respective updates are available.

For more information, refer to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Takaya Noma, Yudai Morii, Hiroki Yasui, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE