{"id":58549,"date":"2024-07-30T19:49:43","date_gmt":"2024-07-30T16:49:43","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179807\/epsonexpressionxp255-missingauth.txt"},"modified":"2024-07-30T19:49:43","modified_gmt":"2024-07-30T16:49:43","slug":"epson-expression-home-xp255-20-08-fm10i8-missing-authentication","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/epson-expression-home-xp255-20-08-fm10i8-missing-authentication\/","title":{"rendered":"Epson Expression Home XP255 20.08.FM10I8 Missing Authentication"},"content":{"rendered":"[Suggested description]An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.
By default, the device comes (and functions) without a password. The
user is at no point prompted to set up a password on the device
(leaving a number of devices without a password). In this case, anyone connecting to
the web admin panel is capable of becoming admin without using any
credentials.<\/p>\n

——————————————<\/p>\n[Vulnerability Type]Incorrect Access Control<\/p>\n

——————————————<\/p>\n[Vendor of Product]Epson<\/p>\n

——————————————<\/p>\n[Affected Product Code Base]Expression Home XP255 – 20.08.FM10I8<\/p>\n

——————————————<\/p>\n[Affected Component]Web admin panel<\/p>\n

——————————————<\/p>\n[Attack Type]Remote<\/p>\n

——————————————<\/p>\n[Impact Escalation of Privileges]true<\/p>\n

——————————————<\/p>\n[Attack Vectors]The attacker needs to have access to port 80\/TCP (the webserver) of the device.<\/p>\n

——————————————<\/p>\n[Has vendor confirmed or acknowledged the vulnerability?]true<\/p>\n

——————————————<\/p>\n[Discoverer]Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation.<\/p>\n

——————————————<\/p>\n[Reference]https:\/\/epson.com\/Support\/sl\/s<\/p>\n

Use CVE-2019-20458.<\/p>\n","protected":false},"excerpt":{"rendered":"

[Suggested description]An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.By default, the device comes (and functions) without a password. Theuser is at no point prompted to set up a password on the device(leaving a number of devices without a password). In this case, anyone connecting tothe web admin panel is capable of becoming …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58549","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58549"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58549\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}