JVN#82424996
Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config

Overview

SEIKO EPSON printers/network interface Web Config contains multiple vulnerabilities.

Products Affected

• Web Config

Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to the developer, it is also called as Remote Manager in some products.

Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the developer.

Description

Web Config for printers/network interface provided by SEIKO EPSON CORPORATION contains multiple vulnerabilities listed below.

• Stored cross-site Scripting (CWE-79) - CVE-2023-23572

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	Base Score: 4.8
  CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

• Cross-Site Request Forgery (CWE-352) - CVE-2023-27520

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

• An arbitrary script may be executed on the web browser of the user who is accessing the settings page of the product - CVE-2023-23572
• If a user views a malicious page while logged in to the settings page of the product, unintended operations may be performed - CVE-2023-27520

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer states that the respective updates are scheduled to be released in April 2023.

Apply workarounds
The developer strongly recommends users to apply workarounds before the respective updates are available.

For more information, refer to the information provided by the developer.