#VU73149 Stored cross-site scripting in Seiko Epson Corporation products - CVE-2023-27520

Cybersecurity Help s.r.o.

Published: 2023-03-08

Vulnerability identifier: #VU73149

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-27520

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Web Config
Web applications / Other software
LP-9200PS2
Hardware solutions / Office equipment, IP-phones, print servers
LP-9200PS3
Hardware solutions / Office equipment, IP-phones, print servers
LP-8200C
Hardware solutions / Office equipment, IP-phones, print servers
LP-9600
Hardware solutions / Office equipment, IP-phones, print servers
LP-9600S
Hardware solutions / Office equipment, IP-phones, print servers
LP-9300
Hardware solutions / Office equipment, IP-phones, print servers
LP-8500C
Hardware solutions / Office equipment, IP-phones, print servers
LP-3000C
Hardware solutions / Office equipment, IP-phones, print servers
LP-8700PS3
Hardware solutions / Office equipment, IP-phones, print servers
LP-9800C
Hardware solutions / Office equipment, IP-phones, print servers
LP-S5500
Hardware solutions / Office equipment, IP-phones, print servers
LP-9200B
Hardware solutions / Office equipment, IP-phones, print servers
LP-9200C
Hardware solutions / Office equipment, IP-phones, print servers
LP-S4500
Hardware solutions / Office equipment, IP-phones, print servers
LP-S6500
Hardware solutions / Office equipment, IP-phones, print servers
LP-S7000
Hardware solutions / Office equipment, IP-phones, print servers
LP-S5000
Hardware solutions / Office equipment, IP-phones, print servers
LP-S4000
Hardware solutions / Office equipment, IP-phones, print servers
LP-S6000
Hardware solutions / Office equipment, IP-phones, print servers
LP-S5000R
Hardware solutions / Office equipment, IP-phones, print servers
LP-S5000Z
Hardware solutions / Office equipment, IP-phones, print servers
LP-S5000ZR
Hardware solutions / Office equipment, IP-phones, print servers
LP-S5300
Hardware solutions / Office equipment, IP-phones, print servers
LP-S5300R
Hardware solutions / Office equipment, IP-phones, print servers
LP-S300N
Hardware solutions / Office equipment, IP-phones, print servers
LP-S210
Hardware solutions / Office equipment, IP-phones, print servers
LP-S310
Hardware solutions / Office equipment, IP-phones, print servers
LP-S310N
Hardware solutions / Office equipment, IP-phones, print servers
LP-S3000
Hardware solutions / Office equipment, IP-phones, print servers
LP-S3000R
Hardware solutions / Office equipment, IP-phones, print servers
LP-S3000Z
Hardware solutions / Office equipment, IP-phones, print servers
LP-S3000PS
Hardware solutions / Office equipment, IP-phones, print servers
LP-S7500
Hardware solutions / Office equipment, IP-phones, print servers
LP-S7500AS
Hardware solutions / Office equipment, IP-phones, print servers
LP-S7500AH
Hardware solutions / Office equipment, IP-phones, print servers
LP-S7500AP
Hardware solutions / Office equipment, IP-phones, print servers
LP-S3500
Hardware solutions / Office equipment, IP-phones, print servers
LP-S4200
Hardware solutions / Office equipment, IP-phones, print servers
LP-S9000
Hardware solutions / Office equipment, IP-phones, print servers
LP-S7100
Hardware solutions / Office equipment, IP-phones, print servers
LP-S8100
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW1
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW1S
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW2
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW2AC
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW2S
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW2SAC
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW3
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW3S
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW6
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW7
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW7U
Hardware solutions / Office equipment, IP-phones, print servers
PRIFNW7S
Hardware solutions / Office equipment, IP-phones, print servers
PA-W11G
Hardware solutions / Office equipment, IP-phones, print servers
PA-11G2
Hardware solutions / Office equipment, IP-phones, print servers
ESNSB1
Hardware solutions / Office equipment, IP-phones, print servers
ESNSB2
Hardware solutions / Office equipment, IP-phones, print servers
ESIFNW1
Hardware solutions / Office equipment, IP-phones, print servers

Vendor: Seiko Epson Corporation

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Web Config: All versions

LP-9200PS2: All versions

LP-9200PS3: All versions

LP-8200C: All versions

LP-9600: All versions

LP-9600S: All versions

LP-9300: All versions

LP-8500C: All versions

LP-3000C: All versions

LP-8700PS3: All versions

LP-9800C: All versions

LP-S5500: All versions

LP-9200B: All versions

LP-9200C: All versions

LP-S4500: All versions

LP-S6500: All versions

LP-S7000: All versions

LP-S5000: All versions

LP-S4000: All versions

LP-S6000: All versions

LP-S5000R: All versions

LP-S5000Z: All versions

LP-S5000ZR: All versions

LP-S5300: All versions

LP-S5300R: All versions

LP-S300N: All versions

LP-S210: All versions

LP-S310: All versions

LP-S310N: All versions

LP-S3000: All versions

LP-S3000R: All versions

LP-S3000Z: All versions

LP-S3000PS: All versions

LP-S7500: All versions

LP-S7500AS: All versions

LP-S7500AH: All versions

LP-S7500AP: All versions

LP-S3500: All versions

LP-S4200: All versions

LP-S9000: All versions

LP-S7100: All versions

LP-S8100: All versions

PRIFNW1: All versions

PRIFNW1S: All versions

PRIFNW2: All versions

PRIFNW2AC: All versions

PRIFNW2S: All versions

PRIFNW2SAC: All versions

PRIFNW3: All versions

PRIFNW3S: All versions

PRIFNW6: All versions

PRIFNW7: All versions

PRIFNW7U: All versions

PRIFNW7S: All versions

PA-W11G: All versions

PA-11G2: All versions

ESNSB1: All versions

ESNSB2: All versions

ESIFNW1: All versions

External links
https://jvn.jp/en/jp/JVN82424996/index.html
https://www.epson.jp/support/misc_t/230308_oshirase.htm

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Stored cross-site scripting in SEIKO EPSON printers/network interface Web Config