Epson Expression Home XP255 20.08.FM10I8 Cross Site Request Forgery
[Suggested description]An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.
POST requests don’t require (anti-)CSRF tokens or other
mechanisms for validating that the request is from a legitimate
source.
In addition, CSRF attacks can be used to send text directly to the RAW
printer interface. For example, an attack could deliver a worrisome printout to an end user.
POST requests don’t require (anti-)CSRF tokens or other
mechanisms for validating that the request is from a legitimate
source.
In addition, CSRF attacks can be used to send text directly to the RAW
printer interface. For example, an attack could deliver a worrisome printout to an end user.
——————————————
[Vulnerability Type]Cross Site Request Forgery (CSRF)——————————————
[Vendor of Product]Epson——————————————
[Affected Product Code Base]Expression Home XP255 – 20.08.FM10I8——————————————
[Affected Component]Web admin panel, RAW printing protocol——————————————
[Attack Type]Remote——————————————
[Impact Escalation of Privileges]true——————————————
[Attack Vectors]Using a CSRF attack, the web admin panel is attacked.——————————————
[Has vendor confirmed or acknowledged the vulnerability?]true——————————————
[Discoverer]Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation.——————————————
[Reference]https://epson.com/Support/sl/sUse CVE-2019-20460.