[Japanese]

JVNDB-2023-000022

Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config

Overview

Web Config for printers/network interface provided by SEIKO EPSON CORPORATION contains multiple vulnerabilities listed below.
  • Stored cross-site Scripting (CWE-79) - CVE-2023-23572
  • Cross-Site Request Forgery (CWE-352) - CVE-2023-27520

    Takaya Noma, Yudai Morii, Hiroki Yasui, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
    JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
  • CVSS Severity (What is CVSS?)

    CVSS V3 Severity:
    Base Metrics 4.8 (Medium) [IPA Score]
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Changed
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
    CVSS V2 Severity:
    Base Metrics 3.5 (Low) [IPA Score]
    • Access Vector: Network
    • Access Complexity: Medium
    • Authentication: Single Instance
    • Confidentiality Impact: None
    • Integrity Impact: Partial
    • Availability Impact: None
    The above CVSS base scores have been assigned for CVE-2023-23572


    CVSS V3 Severity:
    Base Metrics 4.3 (Medium) [IPA Score]
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None
    CVSS V2 Severity:
    Base Metrics 2.6 (Low) [IPA Score]
    • Access Vector: Network
    • Access Complexity: High
    • Authentication: None
    • Confidentiality Impact: None
    • Integrity Impact: Partial
    • Availability Impact: None
    The above CVSS base scores have been assigned for CVE-2023-27520
    Affected Products


    SEIKO EPSON CORPORATION
    • Web Config

    Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to the developer, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the developer.
    Impact

  • An arbitrary script may be executed on the web browser of the user who is accessing the settings page of the product - CVE-2023-23572
  • If a user views a malicious page while logged in to the settings page of the product, unintended operations may be performed - CVE-2023-27520
  • Solution

    [Update the firmware]
    Update the firmware to the latest version according to the information provided by the developer.
    The developer states that the respective updates are scheduled to be released in April 2023.

    [Apply workarounds]
    The developer strongly recommends users to apply workarounds before the respective updates are available.

    For more information, refer to the information provided by the developer.
    Vendor Information

    SEIKO EPSON CORPORATION
    CWE (What is CWE?)

    1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
    2. Cross-site Scripting(CWE-79) [IPA Evaluation]
    CVE (What is CVE?)

    1. CVE-2023-27520
    2. CVE-2023-23572
    References

    1. JVN : JVN#82424996
    2. National Vulnerability Database (NVD) : CVE-2023-23572
    3. National Vulnerability Database (NVD) : CVE-2023-27520
    Revision History

    • [2023/03/08]
        Web page was published
    • [2023/04/19]
        Overview was modified
        CVSS Severity was modified
        Impact was modified
    • [2024/06/03]
        References : Contents were added