A Cross-Site Scripting (XSS) issue in the βupdate userβ and βdelete userβ functionalities in settings/users.php in EPSON EPS TSE Server 8 (21.0.11) allows an authenticated attacker to inject a JavaScript payload in the user management page that is executed by an administrator.