A Cross-Site Scripting (XSS) issue in the \'update user\' and \'delete user\' functionalities in settings/users.php in EPSON EPS TSE Server 8 (21.0.11) allows an authenticated attacker to inject a JavaScript payload in the user management page that is executed by an administrator.