Epson Xp 255

Epson XP255 CSRF Print Spoofing
CVE-2019-20460 8.8 - High - November 07, 2024

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user.

Session Riding

Epson XP255 20.08 Unauthenticated Admin Access
CVE-2019-20458 8.8 - High - November 07, 2024

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. By default, the device comes (and functions) without a password. The user is at no point prompted to set up a password on the device (leaving a number of devices without a password). In this case, anyone connecting to the web admin panel is capable of becoming admin without using any credentials.

Incorrect Default Permissions

Epson XP255 SNMPv1 Community String Vulnerability
CVE-2019-20459 8.4 - High - November 07, 2024

An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. With the SNMPv1 public community, all values can be read, and with the epson community, all the changeable values can be written/updated, as demonstrated by permanently disabling the network card or changing the DNS servers.