All the vulnerabilites related to SEIKO EPSON CORPORATION - Web Config
cve-2024-47295
Vulnerability from cvelistv5
Published
2024-10-01 03:16
Modified
2024-11-11 07:15
Severity ?
EPSS score ?
Summary
Insecure initial password configuration issue in SEIKO EPSON Web Config allows a remote unauthenticated attacker to set an arbitrary password and operate the device with an administrative privilege. As for the details of the affected versions, see the information provided by the vendor under [References].
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SEIKO EPSON CORPORATION | Web Config |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:seiko_epson_corporation:web_config:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "web_config",
"vendor": "seiko_epson_corporation",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T14:01:15.326202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T14:01:18.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Web Config",
"vendor": "SEIKO EPSON CORPORATION",
"versions": [
{
"status": "affected",
"version": "See the information/details provided by the vendor"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insecure initial password configuration issue in SEIKO EPSON Web Config allows a remote unauthenticated attacker to set an arbitrary password and operate the device with an administrative privilege. As for the details of the affected versions, see the information provided by the vendor under [References]."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "Initialization of a resource with an insecure default",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T07:15:21.646Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://epson.com/Support/wa00958"
},
{
"url": "https://www.epson.jp/support/misc_t/240930_03_oshirase.htm"
},
{
"url": "https://jvn.jp/en/vu/JVNVU95133448/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-47295",
"datePublished": "2024-10-01T03:16:40.052Z",
"dateReserved": "2024-09-24T08:32:15.357Z",
"dateUpdated": "2024-11-11T07:15:21.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2024-009481
Vulnerability from jvndb
Published
2024-10-01 14:14
Modified
2024-11-12 10:25
Severity ?
Summary
Insecure initial password configuration issue in SEIKO EPSON Web Config
Details
Web Config is software that allows users to check the status and change the settings of SEIKO EPSON products, e.g., printers and scanners, via a web browser. In the initial setting no administrative password is set, and when a user connects the device and configures Web Config settings for the first time, the user is requested to set the password.
Therefore, when a product is connected to network without the Web Config settings configured, arbitrary password may be set and the device may be operated with an administrative privilege by an attacker (CWE-1188).
George Puckett reported this vulnerability to CERT/CC.
Requested by CERT/CC, JPCERT/CC coordinated with the developer.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/vu/JVNVU95133448/index.html | |
| CVE | https://www.cve.org/CVERecord?id= CVE-2024-47295 | |
| Insecure Default Initialization of Resource(CWE-1188) | https://cwe.mitre.org/data/definitions/1188.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SEIKO EPSON CORPORATION | Web Config |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-009481.html",
"dc:date": "2024-11-12T10:25+09:00",
"dcterms:issued": "2024-10-01T14:14+09:00",
"dcterms:modified": "2024-11-12T10:25+09:00",
"description": "Web Config is software that allows users to check the status and change the settings of SEIKO EPSON products, e.g., printers and scanners, via a web browser. In the initial setting no administrative password is set, and when a user connects the device and configures Web Config settings for the first time, the user is requested to set the password.\r\nTherefore, when a product is connected to network without the Web Config settings configured, arbitrary password may be set and the device may be operated with an administrative privilege by an attacker (CWE-1188).\r\n\r\nGeorge Puckett reported this vulnerability to CERT/CC.\r\nRequested by CERT/CC, JPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-009481.html",
"sec:cpe": {
"#text": "cpe:/a:epson:web_config",
"@product": "Web Config",
"@vendor": "SEIKO EPSON CORPORATION",
"@version": "2.2"
},
"sec:cvss": {
"@score": "8.1",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-009481",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU95133448/index.html",
"@id": "JVNVU#95133448",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=\tCVE-2024-47295",
"@id": "CVE-2024-47295",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/1188.html",
"@id": "CWE-1188",
"@title": "Insecure Default Initialization of Resource(CWE-1188)"
}
],
"title": "Insecure initial password configuration issue in SEIKO EPSON Web Config"
}
jvndb-2023-000022
Vulnerability from jvndb
Published
2023-03-08 15:09
Modified
2024-06-03 17:36
Severity ?
Summary
Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config
Details
Web Config for printers/network interface provided by SEIKO EPSON CORPORATION contains multiple vulnerabilities listed below.
<li>Stored cross-site Scripting (CWE-79) - CVE-2023-23572
<li>Cross-Site Request Forgery (CWE-352) - CVE-2023-27520
Takaya Noma, Yudai Morii, Hiroki Yasui, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN82424996/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2023-27520 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2023-23572 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2023-23572 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2023-27520 | |
| Cross-Site Request Forgery(CWE-352) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SEIKO EPSON CORPORATION | Web Config |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000022.html",
"dc:date": "2024-06-03T17:36+09:00",
"dcterms:issued": "2023-03-08T15:09+09:00",
"dcterms:modified": "2024-06-03T17:36+09:00",
"description": "Web Config for printers/network interface provided by SEIKO EPSON CORPORATION contains multiple vulnerabilities listed below.\r\n\u003cli\u003eStored cross-site Scripting (CWE-79) - CVE-2023-23572\r\n\u003cli\u003eCross-Site Request Forgery (CWE-352) - CVE-2023-27520\r\n\r\nTakaya Noma, Yudai Morii, Hiroki Yasui, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000022.html",
"sec:cpe": {
"#text": "cpe:/a:epson:web_config",
"@product": "Web Config",
"@vendor": "SEIKO EPSON CORPORATION",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000022",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN82424996/index.html",
"@id": "JVN#82424996",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-27520",
"@id": "CVE-2023-27520",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-23572",
"@id": "CVE-2023-23572",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-23572",
"@id": "CVE-2023-23572",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-27520",
"@id": "CVE-2023-27520",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config"
}
jvndb-2023-000076
Vulnerability from jvndb
Published
2023-08-02 14:55
Modified
2024-04-19 17:27
Severity ?
Summary
SEIKO EPSON printer Web Config vulnerable to denial-of-service (DoS)
Details
SEIKO EPSON printer Web Config contains a denial-of-service (DoS) vulnerability due to improper input validation (CWE-20).
SEIKO EPSON CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and SEIKO EPSON CORPORATION coordinated under the Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN61337171/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2023-38556 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2023-38556 | |
| Improper Input Validation(CWE-20) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SEIKO EPSON CORPORATION | Web Config |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000076.html",
"dc:date": "2024-04-19T17:27+09:00",
"dcterms:issued": "2023-08-02T14:55+09:00",
"dcterms:modified": "2024-04-19T17:27+09:00",
"description": "SEIKO EPSON printer Web Config contains a denial-of-service (DoS) vulnerability due to improper input validation (CWE-20).\r\n\r\nSEIKO EPSON CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and SEIKO EPSON CORPORATION coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000076.html",
"sec:cpe": {
"#text": "cpe:/a:epson:web_config",
"@product": "Web Config",
"@vendor": "SEIKO EPSON CORPORATION",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"@version": "2.0"
},
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000076",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN61337171/index.html",
"@id": "JVN#61337171",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-38556",
"@id": "CVE-2023-38556",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-38556",
"@id": "CVE-2023-38556",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "SEIKO EPSON printer Web Config vulnerable to denial-of-service (DoS)"
}