Xerox Issues Alert On Workplace
Suite Stores Tokens in Session Storage, Risking Exposure.
Xerox Security Bulletin XRX25-002 Xeroxยฎ Workplace Suiteยฎ
Mitigations for CVE-2024-55925, CVE-2024-55926, CVE-2024-55927, CVE-2024-55928, CVE-2024-55929, CVE-2024-55930, CVE-2024-55931
Bulletin Date: January 23, 2025
(PDF)
Purpose: This bulletin is specifically intended for the identified software and addresses security issues rated as IMPORTANT or higher. The following CVEs have been mitigated in Xeroxยฎ Workplace Suiteยฎ version 5.6.701.9:
- CVE-2024-55925: API security bypass via header manipulation
- CVE-2024-55926: Arbitrary file upload via header manipulation
- CVE-2024-55926: Arbitrary file deletion on server via header manipulation
- CVE-2024-55926: Arbitrary file read on server via header manipulation
- CVE-2024-55927: Flawed token generation implementation
- CVE-2024-55927: Hard-coded key implementation
- CVE-2024-55928: Cleartext secrets exposed
- CVE-2024-55928: Remote system secrets in cleartext
- CVE-2024-55929: Mail spoofing vulnerability
- CVE-2024-55930: Weak default folder permissions
- CVE-2024-55931: Token stored in session storage (to be addressed in a future release)
We thank Cyril Serviรจres from Orange Cyberdefense for identifying these vulnerabilities and Sรฉbastien Desbordes from Airbus SE for their support in resolving them.
