CVE-2023-23572

11.04.2023, 09:15

Cross-site scripting vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to SEIKO EPSON CORPORATION, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
jpcert	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	4.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 51%

Vendor	Product	Version
epson	lp-9200ps2_firmware	-
epson	lp-9200ps3_firmware	-
epson	lp-8200c_firmware	-
epson	lp-9600_firmware	-
epson	lp-9600s_firmware	-
epson	lp-9300_firmware	-
epson	lp-8500c_firmware	-
epson	lp-8700ps3_firmware	-
epson	lp-9800c_firmware	-
epson	lp-s5500_firmware	-
epson	lp-9200b_firmware	-
epson	lp-9200c_firmware	-
epson	lp-s4500_firmware	-
epson	lp-s6500_firmware	-
epson	lp-s7000_firmware	-
epson	lp-s5000_firmware	-
epson	lp-s4000_firmware	-
epson	lp-s6000_firmware	-
epson	lp-s5300_firmware	-
epson	lp-s5300r_firmware	-
epson	lp-s300n_firmware	-
epson	lp-s310n_firmware	-
epson	lp-s3000_firmware	-
epson	lp-s3000r_firmware	-
epson	lp-s3000z_firmware	-
epson	lp-s3000ps_firmware	-
epson	lp-s7500_firmware	-
epson	lp-s7500ps_firmware	-
epson	lp-s3500_firmware	-
epson	lp-s4200_firmware	-
epson	lp-s9000_firmware	-
epson	lp-s7100_firmware	-
epson	lp-s8100_firmware	-
epson	prifnw1_firmware	-
epson	prifnw1s_firmware	-
epson	prifnw2_firmware	-
epson	prifnw2ac_firmware	-
epson	prifnw2s_firmware	-
epson	prifnw2sac_firmware	-
epson	prifnw3_firmware	-
epson	prifnw3s_firmware	-
epson	prifnw6_firmware	-
epson	prifnw7_firmware	-
epson	prifnw7u_firmware	-
epson	prifnw7s_firmware	-
epson	pa-w11g_firmware	-
epson	pa-w11g2_firmware	-
epson	esnsb1_firmware	-
epson	esnsb2_firmware	-
epson	esifnw1_firmware	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://jvn.jp/en/jp/JVN82424996/

https://www.epson.jp/support/misc_t/230308_oshirase.htm

https://jvn.jp/en/jp/JVN82424996/

https://www.epson.jp/support/misc_t/230308_oshirase.htm