CVE-2017-6443

An unauthenticated remote attacker sends a POST request to `/Forms/oadmin_1` with the `W_AD1` parameter containing arbitrary JavaScript (e.g., `<script>window.alert(0)</script>`) [ref_id=1][ref_id=2]. The payload is stored persistently and executed in the browser of any user who subsequently visits `/istatus.htm` [ref_id=1][ref_id=2]. The application ships without a password by default, removing any authentication barrier [ref_id=1]. This is a stored (persistent) cross-site scripting attack [CWE-79].

The vulnerability resides in the `/Forms/oadmin_1` endpoint of EPSON TMNet WebConfig Ver. 1.00. The `W_AD1` POST parameter is accepted without sanitization and later rendered on the `/istatus.htm` page [ref_id=1][ref_id=2]. No patch files are available in this bundle.

No vendor patch or fix is included in this bundle. The researcher's only mitigation advice is to "consider adding strong authentication to this portal," noting the application ships without a password [ref_id=1]. A proper fix would require neutralizing HTML/JavaScript in the `W_AD1` parameter before storing it and before rendering it on the status page [CWE-79].

1. Send a POST request to `/Forms/oadmin_1` with the body `W_AD1=<script>window.alert(0)</script>&W_Link1=&Submit=SUBMIT` [ref_id=1][ref_id=2]. 2. Browse to `/istatus.htm` — the injected script executes in the browser [ref_id=1][ref_id=2].