Xerox Issues ALERT On Workplace Suite Stores Tokens in Session Storage, Risking Exposure.

Toner News Mobile Forums Toner News Main Forums Xerox Issues ALERT On Workplace Suite Stores Tokens in Session Storage, Risking Exposure.

Date: Monday January 27, 2025 04:13:16 pm
  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
    Posts

  • toner
    Keymaster

    Xerox Issues Alert On Workplace
    Suite Stores Tokens in Session Storage, Risking Exposure.

    Xerox Security Bulletin XRX25-002 Xeroxยฎ Workplace Suiteยฎ
    Mitigations for CVE-2024-55925, CVE-2024-55926, CVE-2024-55927, CVE-2024-55928, CVE-2024-55929, CVE-2024-55930, CVE-2024-55931
    Bulletin Date: January 23, 2025
    (PDF)

    Purpose:
    This bulletin is specifically intended for the identified software and addresses security issues rated as IMPORTANT or higher. The following CVEs have been mitigated in Xeroxยฎ Workplace Suiteยฎ version 5.6.701.9:

    • CVE-2024-55925: API security bypass via header manipulation
    • CVE-2024-55926: Arbitrary file upload via header manipulation
    • CVE-2024-55926: Arbitrary file deletion on server via header manipulation
    • CVE-2024-55926: Arbitrary file read on server via header manipulation
    • CVE-2024-55927: Flawed token generation implementation
    • CVE-2024-55927: Hard-coded key implementation
    • CVE-2024-55928: Cleartext secrets exposed
    • CVE-2024-55928: Remote system secrets in cleartext
    • CVE-2024-55929: Mail spoofing vulnerability
    • CVE-2024-55930: Weak default folder permissions
    • CVE-2024-55931: Token stored in session storage (to be addressed in a future release)

    We thank Cyril Serviรจres from Orange Cyberdefense for identifying these vulnerabilities and Sรฉbastien Desbordes from Airbus SE for their support in resolving them.

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.