Cross-Site Scripting (XSS) Vulnerability
Vulnerability Reference: CVE-2023-23572
Description:
A vulnerability has been identified in some Epson printers and network interface products in software (Web Config*) that can check the status of the product itself or change settings on a Web browser.
Impact:
By accessing a specially crafted page, a script may be embedded in the settings of the product itself through the Web Config of the product in question. Currently, there are no reports of attacks exploiting this vulnerability.
Solution:
To ensure the security of your Epson product, please download and install the latest EPSON Firmware Update for your product by navigating to your product's support page. It is recommeneded to follow one or both of the following procedures to secure your Epson product.
Product_Name | XSS_Vulnerability | Countermeasure | Scheduled_Firmware_Update_Release |
---|---|---|---|
EpsonNet 10/100 Base TX USB Print Server (C82402*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base TX USB Print Server (C82403*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base Tx High Speed Int.Print Server (C82405*) | Applicable | Workaround Below | ― |
EpsonNet 802.11g wireless Ext. Print Server (C82422*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base Tx Int. Print Server 5 (C82434*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base Tx Int. Print Server 5e (C82435*) | Applicable | Workaround Below | ― |
EpsonNet 802.11b/g Wireless and 10/100 Base Tx Ext. Print Server (C82437*) | Applicable | Workaround Below | ― |
EpsonNet Authentication Print (C82440*) | Applicable | Workaround Below | ― |
EpsonNet 10 Base 2/T Int. Print Server (C82362*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base Tx Ext. Print Server (C82363*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base Tx Ext. Print Server (C82364*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base Tx External Print Server (C82378*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base Tx Int. Print Server (C82384*) | Applicable | Workaround Below | ― |
EpsonNet 10/100 Base Tx Int. Print Server 2 (C82391*) | Applicable | Workaround Below | ― |
EpsonNet 802.11b Wireless Ext. Print Server (C82396*) | Applicable | Workaround Below | ― |
EpsonNet 802.11b Wireless Ext. Print Server (C82397*) | Applicable | Workaround Below | ― |
EpsonNet 802.11b Wireless Ext. Print Server (C82398*) | Applicable | Workaround Below | ― |
EPSON Network Image Express (B80836*) | Applicable | Workaround Below | ― |
EPSON Network Image Express Card (B80839*) | Applicable | Workaround Below | ― |
Workaround Procedure 1:
- The product should not be directly connected to the Internet and should be installed in a network protected by a firewall.
In that case, please set a private IP address and operate. - Set an administrator password for each product.
The administrator password should be a complex string that is difficult for others to guess, such as mixing not only English characters but also symbols and numbers to make it 8 characters or more.
Please check the Security Guidebook here.
Workaround Procedure 2:
For the affected products, you can block HTTP access (TCP/80 port) in Web Config.
After configuring the product, block HTTP access (TCP/80 port) to the product with a network device (router or switch).
Open the port only when you need to update the application settings or firmware.