Published:2023/03/08  Last Updated:2023/04/18

JVN#82424996
Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config

Overview

SEIKO EPSON printers/network interface Web Config contains multiple vulnerabilities.

Products Affected

  • Web Config
Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to the developer, it is also called as Remote Manager in some products.

Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the developer.

Description

Web Config for printers/network interface provided by SEIKO EPSON CORPORATION contains multiple vulnerabilities listed below.

  • Stored cross-site Scripting (CWE-79) - CVE-2023-23572
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score: 4.8
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • Cross-Site Request Forgery (CWE-352) - CVE-2023-27520
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

  • An arbitrary script may be executed on the web browser of the user who is accessing the settings page of the product - CVE-2023-23572
  • If a user views a malicious page while logged in to the settings page of the product, unintended operations may be performed - CVE-2023-27520

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer states that the respective updates are scheduled to be released in April 2023.

Apply workarounds
The developer strongly recommends users to apply workarounds before the respective updates are available.

For more information, refer to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Takaya Noma, Yudai Morii, Hiroki Yasui, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-23572
CVE-2023-27520
JVN iPedia JVNDB-2023-000022

Update History

2023/04/18
Fixed the information under the section [Description] and [Impact].