Security
Headlines
HeadlinesLatestCVEs

Headline

Epson Expression Home XP255 20.08.FM10I8 Cross Site Request Forgery

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests do not require anti-CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user.

Packet Storm
#csrf#vulnerability#web#git

[Suggested description]
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.
POST requests don’t require (anti-)CSRF tokens or other
mechanisms for validating that the request is from a legitimate
source.
In addition, CSRF attacks can be used to send text directly to the RAW
printer interface. For example, an attack could deliver a worrisome printout to an end user.


[Vulnerability Type]
Cross Site Request Forgery (CSRF)


[Vendor of Product]
Epson


[Affected Product Code Base]
Expression Home XP255 - 20.08.FM10I8


[Affected Component]
Web admin panel, RAW printing protocol


[Attack Type]
Remote


[Impact Escalation of Privileges]
true


[Attack Vectors]
Using a CSRF attack, the web admin panel is attacked.


[Has vendor confirmed or acknowledged the vulnerability?]
true


[Discoverer]
Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation.


[Reference]
https://epson.com/Support/sl/s

Use CVE-2019-20460.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution