Konrad Leszczynski

**Name of the Vulnerable Software and Affected Versions** Brother MFC-J491DW version C1806180757 **Description** An issue was discovered where the printer's web-interface password hash can be retrieved without authentication. This occurs because the response header of any failed login attempt returns an incomplete authorization cookie, which is the MD5 hash of the password in hexadecimal. An attacker can derive the true MD5 hash and use offline cracking attacks to obtain administrative access to the device. **Recommendations** For Brother MFC-J491DW version C1806180757, update the firmware to the latest version available to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the web interface until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Epson Expression Home XP255 version 20.08.FM10I8 **Description** An issue was discovered where the device comes without a password and the user is not prompted to set one up, allowing anyone to access the web admin panel and become admin without credentials. **Recommendations** For Epson Expression Home XP255 version 20.08.FM10I8, consider setting up a password for the device to prevent unauthorized access to the web admin panel. As a temporary workaround, restrict access to the web admin panel until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Epson Expression Home XP255 version 20.08.FM10I8 **Description** An issue was discovered that allows all values to be read with the SNMPv1 public community, and with the epson community, all the changeable values can be written/updated. This can be demonstrated by permanently disabling the network card or changing the DNS servers. **Recommendations** For Epson Expression Home XP255 version 20.08.FM10I8, consider disabling the SNMPv1 public community and restricting access to the epson community to minimize the risk of exploitation. Update to the latest firmware and apply all recommended security patches to mitigate risks.

**Name of the Vulnerable Software and Affected Versions** Luvion Grand Elite 3 Connect through 2020-02-25 **Description** An issue was discovered that allows clients to authenticate themselves to the device using a `username` and `password`. These credentials can be obtained through an unauthenticated web request, such as for a JavaScript file. The disclosed information also includes the SSID and WPA2 key for the Wi-Fi network the device is connected to. **Recommendations** For Luvion Grand Elite 3 Connect through 2020-02-25, consider disabling the use of `username` and `password` for authentication until a patch is available. Restrict access to sensitive information, such as the SSID and WPA2 key, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.