Epson Expression Home XP255 20.08.FM10I8 Missing Authentication
[Suggested description]An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.
By default, the device comes (and functions) without a password. The
user is at no point prompted to set up a password on the device
(leaving a number of devices without a password). In this case, anyone connecting to
the web admin panel is capable of becoming admin without using any
credentials.
By default, the device comes (and functions) without a password. The
user is at no point prompted to set up a password on the device
(leaving a number of devices without a password). In this case, anyone connecting to
the web admin panel is capable of becoming admin without using any
credentials.
——————————————
[Vulnerability Type]Incorrect Access Control——————————————
[Vendor of Product]Epson——————————————
[Affected Product Code Base]Expression Home XP255 – 20.08.FM10I8——————————————
[Affected Component]Web admin panel——————————————
[Attack Type]Remote——————————————
[Impact Escalation of Privileges]true——————————————
[Attack Vectors]The attacker needs to have access to port 80/TCP (the webserver) of the device.——————————————
[Has vendor confirmed or acknowledged the vulnerability?]true——————————————
[Discoverer]Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation.——————————————
[Reference]https://epson.com/Support/sl/sUse CVE-2019-20458.