CVE-2023-23572

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Web Config (also known as Remote Manager) interface of certain SEIKO EPSON printers and network interface products [1][2]. An authenticated attacker with administrative privileges can inject arbitrary scripts into the product's settings via Web Config. When other users (or the same user) access the settings page, the injected script executes in their browser. The affected product list is provided by the vendor [1].

Exploitation

To exploit this vulnerability, an attacker must first obtain administrative credentials for the target device's Web Config. With admin access, the attacker can craft a malicious script and inject it into the device configuration (e.g., through a specially crafted page). Subsequently, any user who views the settings page of the affected product will trigger the execution of the injected script in their web browser [2]. No user interaction beyond viewing the settings page is required for the script to execute.

Impact

Successful exploitation allows arbitrary script execution in the context of the Web Config settings page. This can lead to session hijacking, defacement, or further compromise of the user's browser session. The CVSS v3 base score is 4.8 (Medium) with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating low confidentiality and integrity impact but with scope change [2].

Mitigation

The vendor recommends updating the firmware to the latest version, with updates scheduled for release in April 2023 [1][2]. Users should apply the firmware update as soon as it becomes available. As a workaround, the vendor advises restricting network access to the Web Config interface and ensuring that only trusted administrators have credentials. No public reports of exploitation have been confirmed as of the advisory date [1].