CVE-2020-28930 in EPS TSE Server 8
Summary
by MITRE • 12/17/2020
A Cross-Site Scripting (XSS) issue in the 'update user' and 'delete user' functionalities in settings/users.php in EPSON EPS TSE Server 8 (21.0.11) allows an authenticated attacker to inject a JavaScript payload in the user management page that is executed by an administrator.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/08/2026
This vulnerability represents a critical cross-site scripting flaw in the EPSON EPS TSE Server 8 version 21.0.11 that specifically targets the user management functionalities within the settings/users.php module. The vulnerability occurs when authenticated users with appropriate privileges attempt to update or delete user accounts, creating an opportunity for malicious actors to inject malicious JavaScript code into the user management interface. The flaw stems from inadequate input validation and output encoding mechanisms that fail to properly sanitize user-supplied data before rendering it within the web application's response. This represents a classic persistent XSS vulnerability where the malicious payload is stored on the server and executed whenever an administrator accesses the user management page, making it particularly dangerous as it can affect multiple users simultaneously.
The technical exploitation of this vulnerability requires an authenticated attacker who has access to the user management functionality, typically through legitimate administrative credentials. Once the attacker successfully injects malicious JavaScript code into the user update or delete operations, the payload becomes persistent within the application's database or session storage. When an administrator subsequently navigates to the user management interface, the malicious script executes within the administrator's browser context, potentially allowing for session hijacking, credential theft, or further escalation of privileges. The vulnerability is classified under CWE-79 as a failure to sanitize user input before incorporating it into dynamic content, and it aligns with ATT&CK technique T1059.007 for script injection attacks. The attack vector specifically involves the manipulation of the update and delete user parameters, which are processed without proper sanitization, creating an execution environment where malicious code can be stored and later retrieved.
The operational impact of this vulnerability extends beyond simple data theft or session manipulation, as it provides attackers with a potential foothold for more sophisticated attacks within the EPSON EPS TSE Server environment. Administrators who access the compromised user management interface become victims of the injected JavaScript payloads, which could potentially redirect them to malicious sites, steal their authentication tokens, or even execute arbitrary commands on the server. The persistent nature of the vulnerability means that the malicious code remains active until manually removed from the application's database, creating a long-term security risk that could be exploited by multiple attackers over time. This vulnerability significantly undermines the principle of least privilege and can lead to complete compromise of the administrative interface, potentially allowing attackers to modify user permissions, add new administrator accounts, or access sensitive system information. The impact is particularly severe given that the vulnerability affects the core user management functionality of the server, which is essential for maintaining system security and access control.
Organizations utilizing EPSON EPS TSE Server 8 should immediately implement multiple layers of mitigation strategies to address this vulnerability. The primary remediation involves implementing proper input validation and output encoding mechanisms that sanitize all user-supplied data before processing or storing it within the application. This includes implementing Content Security Policy headers to prevent execution of unauthorized scripts, as well as ensuring that all user inputs are properly escaped when rendered in the web interface. Additionally, organizations should implement strict access controls and monitoring for user management activities, as any unusual modifications to user accounts should trigger immediate alerts. The vulnerability also highlights the importance of regular security updates and patch management, as this issue may have been addressed in subsequent versions of the EPSON EPS TSE Server software. Network segmentation and least privilege access controls should be enforced to limit the potential impact of successful exploitation, while comprehensive logging and audit trails should be maintained to detect and investigate any suspicious activities related to user management operations. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other components of the system.