Stored cross-site scripting in Seiko Epson Corporation products - CVE-2023-27520

Vulnerability identifier: #VU73149

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-27520

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Web Config
LP-9200PS2
LP-9200PS3
LP-8200C
LP-9600
LP-9600S
LP-9300
LP-8500C
LP-3000C
LP-8700PS3
LP-9800C
LP-S5500
LP-9200B
LP-9200C
LP-S4500
LP-S6500
LP-S7000
LP-S5000
LP-S4000
LP-S6000
LP-S5000R
LP-S5000Z
LP-S5000ZR
LP-S5300
LP-S5300R
LP-S300N
LP-S210
LP-S310
LP-S310N
LP-S3000
LP-S3000R
LP-S3000Z
LP-S3000PS
LP-S7500
LP-S7500AS
LP-S7500AH
LP-S7500AP
LP-S3500
LP-S4200
LP-S9000
LP-S7100
LP-S8100
PRIFNW1
PRIFNW1S
PRIFNW2
PRIFNW2AC
PRIFNW2S
PRIFNW2SAC
PRIFNW3
PRIFNW3S
PRIFNW6
PRIFNW7
PRIFNW7U
PRIFNW7S
PA-W11G
PA-11G2
ESNSB1
ESNSB2
ESIFNW1

Software vendor:
Seiko Epson Corporation

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

• https://jvn.jp/en/jp/JVN82424996/index.html
• https://www.epson.jp/support/misc_t/230308_oshirase.htm