Tonernews.com, January 27, 2025. USA
- This topic is empty.
Viewing 1 post (of 1 total)
-
Posts
-
Xerox Issues Alert On Workplace
Suite Stores Tokens in Session Storage, Risking Exposure.
Xerox Security Bulletin XRX25-002 Xerox® Workplace Suite®
Mitigations for CVE-2024-55925, CVE-2024-55926, CVE-2024-55927, CVE-2024-55928, CVE-2024-55929, CVE-2024-55930, CVE-2024-55931
Bulletin Date: January 23, 2025
(PDF)
Purpose: This bulletin is specifically intended for the identified software and addresses security issues rated as IMPORTANT or higher. The following CVEs have been mitigated in Xerox® Workplace Suite® version 5.6.701.9:- CVE-2024-55925: API security bypass via header manipulation
- CVE-2024-55926: Arbitrary file upload via header manipulation
- CVE-2024-55926: Arbitrary file deletion on server via header manipulation
- CVE-2024-55926: Arbitrary file read on server via header manipulation
- CVE-2024-55927: Flawed token generation implementation
- CVE-2024-55927: Hard-coded key implementation
- CVE-2024-55928: Cleartext secrets exposed
- CVE-2024-55928: Remote system secrets in cleartext
- CVE-2024-55929: Mail spoofing vulnerability
- CVE-2024-55930: Weak default folder permissions
- CVE-2024-55931: Token stored in session storage (to be addressed in a future release)
We thank Cyril Servières from Orange Cyberdefense for identifying these vulnerabilities and Sébastien Desbordes from Airbus SE for their support in resolving them.
Viewing 1 post (of 1 total)
- You must be logged in to reply to this topic.