Slider with alias home not found. There is nothing to show here!

Xerox Issues ALERT On Workplace Suite Stores Tokens in Session Storage, Risking Exposure.

Toner News Mobile Forums Toner News Main Forums Xerox Issues ALERT On Workplace Suite Stores Tokens in Session Storage, Risking Exposure.

Tonernews.com, January 27, 2025. USA
  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
    Posts
  • #591396

    toner
    Keymaster

    Xerox Issues Alert On Workplace
    Suite Stores Tokens in Session Storage, Risking Exposure.
    Xerox Security Bulletin XRX25-002 Xerox® Workplace Suite®
    Mitigations for CVE-2024-55925, CVE-2024-55926, CVE-2024-55927, CVE-2024-55928, CVE-2024-55929, CVE-2024-55930, CVE-2024-55931
    Bulletin Date: January 23, 2025
    (PDF)

    Purpose:     This bulletin is specifically intended for the identified software and addresses security issues rated as IMPORTANT or higher. The following CVEs have been mitigated in Xerox® Workplace Suite® version 5.6.701.9:

    • CVE-2024-55925: API security bypass via header manipulation
    • CVE-2024-55926: Arbitrary file upload via header manipulation
    • CVE-2024-55926: Arbitrary file deletion on server via header manipulation
    • CVE-2024-55926: Arbitrary file read on server via header manipulation
    • CVE-2024-55927: Flawed token generation implementation
    • CVE-2024-55927: Hard-coded key implementation
    • CVE-2024-55928: Cleartext secrets exposed
    • CVE-2024-55928: Remote system secrets in cleartext
    • CVE-2024-55929: Mail spoofing vulnerability
    • CVE-2024-55930: Weak default folder permissions
    • CVE-2024-55931: Token stored in session storage (to be addressed in a future release)

    We thank Cyril Servières from Orange Cyberdefense for identifying these vulnerabilities and Sébastien Desbordes from Airbus SE for their support in resolving them.

  • Author
    January 27, 2025 at 4:13 PM
Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.
The information on this site has been included in good faith for general informational purposes only. It is not intended to amount to advice on which you should rely, and we give no representation, warranty, or guarantee, whether express or implied as to its accuracy or completeness. You must obtain professional or specialist advice before taking, or refraining from, any action based on the content on our site.