MidnightBSD

Advisories for xerox

CVE-1999-1343 MEDIUM

HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause a denial of service (hang) via a long URL that contains a large number of . characters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox docucolor_4lp *
CVE-2001-1134 MEDIUM

Xerox DocuPrint N40 Printers allow remote attackers to cause a denial of service via malformed data, such as that produced by the Code Red worm.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox docuprint_n40 *
CVE-2002-1833 HIGH

The default configurations for DocuTech 6110 and DocuTech 6115 have a default administrative password of (1) "service!" on Solaris 8.0 or (2) "administ" on Windows NT, which allows remote attackers to gain privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox docutech_6110 *
xerox docutech_6115 *
CVE-2002-1834 MEDIUM

The default configuration of Xerox DocuTech 6110 and DocuTech 6115 allows remote attackers to connect to the web server and (1) submit print jobs directly into the "print now" queue or (2) read the scanner job history.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox docutech_6110 *
xerox docutech_6115 *
CVE-2002-1835 HIGH

The default configuration of Xerox DocuTech 6110 and DocuTech 6115 running Solaris 8.0 has a large number of unnecessary services enabled such as RPC and sprayd, which could allow remote attackers to obtain access to the device.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox docutech_6110 *
xerox docutech_6115 *
CVE-2002-1836 MEDIUM

The default configuration of Xerox DocuTech 6110 and DocuTech 6115 exports certain NFS shares to the world with world writable permissions, which may allow remote attackers to modify sensitive files.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox docutech_6110 *
xerox docutech_6115 *
CVE-2005-0703 MEDIUM

Xerox MicroServer Web Server for various WorkCentre products including M35/M45/M55 2.028.11.000 through 2.97.20.032 and 4.84.16.000 through 4.97.20.032, Pro 35/45/55 3.028.11.000 through 3.97.20.032, Pro 65/75/90 1.001.00.060 through 1.001.02.084, and others, has an "unauthenticated account," which allows remote attackers to modify system configuration, a different vulnerability than CVE-2005-1179.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_m175 *
xerox workcentre_65 *
xerox workcentre_65 1.001.00.060
xerox workcentre_90 1.001.02.084
xerox workcentre_175 *
xerox workcentre_45 *
xerox workcentre_m55 2.28.11.000
xerox workcentre_m35 2.97.20.032
xerox workcentre_75 1.001.02.084
xerox workcentre_32_color 0.001.00.060
xerox workcentre_40_color *
xerox workcentre_m175 8.47.33.008
xerox workcentre_m55 *
xerox workcentre_2636 0.001.04.044
xerox workcentre_3545 0.001.04.044
xerox workcentre_m35 2.28.11.000
xerox workcentre_35 *
xerox workcentre_m175 8.47.30.000
xerox workcentre_3545 *
xerox workcentre_32_color *
xerox workcentre_m35 4.84.16.000
xerox workcentre_55 3.028.11.000
xerox workcentre_90 *
xerox workcentre_175 7.47.33.008
xerox workcentre_40_color 0.001.00.060
xerox workcentre_m175 6.47.33.008
xerox workcentre_m55 4.84.16.000
xerox workcentre_m165 6.47.33.008
xerox workcentre_35 3.97.20.032
xerox workcentre_40_color 0.001.02.081
xerox workcentre_165 7.47.33.008
xerox workcentre_m165 8.47.30.000
xerox workcentre_m35 *
xerox workcentre_165 *
xerox workcentre_165 7.47.30.000
xerox workcentre_55 3.97.20.032
xerox workcentre_m165 *
xerox workcentre_m165 6.47.30.000
xerox workcentre_m175 6.47.30.000
xerox workcentre_75 1.001.00.060
xerox workcentre_35 3.028.11.000
xerox workcentre_m45 2.28.11.000
xerox workcentre_m45 4.84.16.000
xerox workcentre_m45 *
xerox workcentre_175 7.47.30.000
xerox workcentre_2128 0.001.04.044
xerox workcentre_55 *
xerox workcentre_90 1.001.00.060
xerox workcentre_65 1.001.02.084
xerox workcentre_m165 8.47.33.008
xerox workcentre_2128 *
xerox workcentre_45 3.028.11.000
xerox workcentre_m55 2.97.20.032
xerox workcentre_32_color 0.001.02.081
xerox workcentre_75 *
xerox workcentre_45 3.97.20.032
xerox workcentre_m45 2.97.20.032
xerox workcentre_2636 *
CVE-2005-1179 MEDIUM

Unknown vulnerability in Xerox MicroServer Web Server for various WorkCentre products including M35/M45/M55 2.028.11.000 through 2.97.20.032 and 4.84.16.000 through 4.97.20.032, Pro 35/45/55 3.028.11.000 through 3.97.20.032, Pro 65/75/90 1.001.00.060 through 1.001.02.084, and others, related to SNMP authentication, allows remote attackers to modify system configuration, a different vulnerability than CVE-2005-0703.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_32_color 01.02.058.4
xerox workcentre 32_color_1.2.81
xerox workcentre_65 1.001.00.060
xerox workcentre_90 1.001.02.084
xerox workcentre_40_color 01.02.65.1
xerox workcentre_m55 2.28.11.000
xerox workcentre_m55 4.97.20.032
xerox workcentre_m35 2.97.20.032
xerox workcentre_75 1.001.02.084
xerox workcentre_m175 8.47.33.008
xerox workcentre_2636 0.001.04.044
xerox workcentre_3545 0.001.04.044
xerox workcentre_40_color 01.00.060
xerox workcentre_m35 2.28.11.000
xerox workcentre_m175 8.47.30.000
xerox workcentre_m35 4.84.16.000
xerox workcentre_55 3.028.11.000
xerox workcentre_m35 4.97.20.032
xerox workcentre_175 7.47.33.008
xerox workcentre_m175 6.47.33.008
xerox workcentre_m55 4.84.16.000
xerox workcentre_m165 6.47.33.008
xerox workcentre_32_color 01.02.077.1
xerox workcentre_32_color 01.02.053.1
xerox workcentre_35 3.97.20.032
xerox workcentre_165 7.47.33.008
xerox workcentre_m165 8.47.30.000
xerox workcentre_165 7.47.30.000
xerox workcentre_55 3.97.20.032
xerox workcentre_m165 6.47.30.000
xerox workcentre_m175 6.47.30.000
xerox workcentre_75 1.001.00.060
xerox workcentre_35 3.028.11.000
xerox workcentre_m45 2.28.11.000
xerox workcentre_m45 4.84.16.000
xerox workcentre_m45 4.97.20.025
xerox workcentre_m45 4.97.20.032
xerox workcentre_175 7.47.30.000
xerox workcentre_2128 0.001.04.044
xerox workcentre_32_color 01.00.060
xerox workcentre_m35 4.97.20.025
xerox workcentre_90 1.001.00.060
xerox workcentre_65 1.001.02.084
xerox workcentre_m165 8.47.33.008
xerox workcentre_40_color 01.02.053.1
xerox workcentre_m55 4.97.20.025
xerox workcentre_40_color 01.02.077.1
xerox workcentre_45 3.028.11.000
xerox workcentre_m55 2.97.20.032
xerox workcentre_40_color 01.02.058.4
xerox workcentre 40_color_1.2.81
xerox workcentre_45 3.97.20.032
xerox workcentre_m45 2.97.20.032
CVE-2005-1936 HIGH

Unknown vulnerability in the web server for the ESS/ Network Controller for Xerox Document Centre 240 through 555 running System Software 27.18.017 and earlier allows attackers to "gain unauthorized access."

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox document_centre_425 *
xerox document_centre_432 *
xerox document_centre_426 *
xerox document_centre_420 *
xerox document_centre_440 *
xerox document_centre_555 *
xerox document_centre_230 *
xerox document_centre_545 *
xerox document_centre_460 *
xerox document_centre_220 *
xerox document_centre_535 *
xerox document_centre_430 *
xerox document_centre_240 *
xerox document_centre_490 *
xerox document_centre_332 *
xerox document_centre_470 *
xerox document_centre_480 *
xerox document_centre_265 *
xerox document_centre_340 *
xerox document_centre_255 *
CVE-2005-2200 HIGH

Multiple unknown vulnerabilities in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allow attackers to bypass authentication.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_3545 0.001.04.504
xerox workcentre_2636 0.001.04.044
xerox workcentre_3545 0.001.04.044
xerox workcentre_2128 0.001.04.504
xerox workcentre_2128 0.001.04.044
xerox workcentre_2636 0.001.04.504
CVE-2005-2201 MEDIUM

Unknown vulnerability in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allow attackers to cause a denial of service or access files via crafted HTTP requests.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_3545 0.001.04.504
xerox workcentre_2636 0.001.04.044
xerox workcentre_3545 0.001.04.044
xerox workcentre_2128 0.001.04.504
xerox workcentre_2128 0.001.04.044
xerox workcentre_2636 0.001.04.504
CVE-2005-2202 MEDIUM

Cross-site scripting (XSS) vulnerability in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_3545 0.001.04.504
xerox workcentre_2636 0.001.04.044
xerox workcentre_3545 0.001.04.044
xerox workcentre_2128 0.001.04.504
xerox workcentre_2128 0.001.04.044
xerox workcentre_2636 0.001.04.504
CVE-2005-2645 HIGH

Unknown vulnerability in Xerox MicroServer Web Server in Document Centre 220 through 265, 332 and 340, 420 through 490, and 535 through 555 allows remote attackers to bypass authentication.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox document_centre_490 *
xerox document_centre_332 *
xerox document_centre_265 *
xerox document_centre_420 *
xerox document_centre_555 *
xerox document_centre_340 *
xerox document_centre_535 *
CVE-2005-2646 MEDIUM

Unknown vulnerability in Xerox MicroServer Web Server in Document Centre 220 through 265, 332 and 340, 420 through 490, and 535 through 555 allows remote attackers to cause a denial of service or read files via unknown vectors involving crafted HTTP requests.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox document_centre_425 *
xerox document_centre_432 *
xerox document_centre_426 *
xerox document_centre_420 *
xerox document_centre_440 *
xerox document_centre_555 *
xerox document_centre_230 *
xerox document_centre_545 *
xerox document_centre_460 *
xerox document_centre_220 *
xerox document_centre_535 *
xerox document_centre_430 *
xerox document_centre_240 *
xerox document_centre_490 *
xerox document_centre_332 *
xerox document_centre_470 *
xerox document_centre_480 *
xerox document_centre_265 *
xerox document_centre_340 *
xerox document_centre_255 *
CVE-2005-2647 MEDIUM

Cross-site scripting (XSS) vulnerability in Xerox MicroServer Web Server in Document Centre 220 through 265, 332 and 340, 420 through 490, and 535 through 555 allows remote attackers to inject arbitrary web script or HTML and modify web pages via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox document_centre_490 *
xerox document_centre_332 *
xerox document_centre_265 *
xerox document_centre_420 *
xerox document_centre_555 *
xerox document_centre_340 *
xerox document_centre_535 *
CVE-2006-0825 HIGH

Multiple unspecified vulnerabilities in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allow remote attackers to bypass authentication or gain "unauthorized network access" via unknown attack vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_232 *
xerox workcentre_255 *
xerox workcentre_238 *
xerox workcentre_265 *
xerox workcentre_245 *
xerox workcentre_275 *
CVE-2006-0826 MEDIUM

Unspecified vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to cause a denial of service via a crafted Postscript request.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_232 *
xerox workcentre_255 *
xerox workcentre_238 *
xerox workcentre_265 *
xerox workcentre_245 *
xerox workcentre_275 *
CVE-2006-0827 MEDIUM

Cross-site scripting vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_232 *
xerox workcentre_255 *
xerox workcentre_238 *
xerox workcentre_265 *
xerox workcentre_245 *
xerox workcentre_275 *
CVE-2006-0828 MEDIUM

Unspecified vulnerability in ESS/ Network Controller and MicroServer Web Server in Xerox WorkCentre Pro and Xerox WorkCentre running software 13.027.24.015 and 14.027.24.015 allows remote attackers to "reduce effectiveness of security features" via unknown attack vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_232 *
xerox workcentre_255 *
xerox workcentre_238 *
xerox workcentre_265 *
xerox workcentre_245 *
xerox workcentre_275 *
CVE-2006-1136 MEDIUM

Buffer overflow in the PostScript file interpreter code for Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allows attackers to cause a denial of service via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox workcentre_90 *
xerox copycentre_c90 *
xerox copycentre_c65 *
xerox workcentre_65 *
xerox workcentre_75 *
xerox copycentre_c75 *
CVE-2006-1137 MEDIUM

Multiple unspecified vulnerabilities in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allow remote attackers to cause an unspecified denial of service via a crafted PostScript file that will (1) "navigate through the directory" or (2) a "file sent to expose TCP/IP ports".

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox copycentre_c90_firmware *
xerox copycentre_c75_firmware *
xerox workcentre_pro_65_firmware *
xerox copycentre_c65_firmware *
xerox workcentre_pro_90_firmware *
xerox workcentre_pro_75_firmware *
CVE-2006-1138 MEDIUM

Unspecified vulnerability in the web server code in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, allows remote attackers to cause a denial of service (memory corruption) via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox copycentre_c90_firmware *
xerox copycentre_c75_firmware *
xerox workcentre_pro_65_firmware *
xerox copycentre_c65_firmware *
xerox workcentre_pro_90_firmware *
xerox workcentre_pro_75_firmware *
CVE-2006-1139 MEDIUM

Unspecified vulnerability in the ESS/ Network Controller in Xerox CopyCentre and Xerox WorkCentre Pro, running software 1.001.02.073 or earlier, or 1.001.02.074 before 1.001.02.715, causes the Immediate Image Overwrite feature to fail after a power loss, which could leave data exposed to attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox copycentre_c90_firmware *
xerox copycentre_c75_firmware *
xerox workcentre_pro_65_firmware *
xerox copycentre_c65_firmware *
xerox workcentre_pro_90_firmware *
xerox workcentre_pro_75_firmware *
CVE-2010-0548 MEDIUM

Multiple unspecified vulnerabilities in the Network Controller and Web Server in Xerox WorkCentre 5632, 5638, 5645, 5655, 5665, 5675, and 5687 allow remote attackers to (1) access mailboxes via unknown vectors that bypass Scan to Mailbox authorization or (2) read device configuration information via via unknown vectors that bypass web server authorization.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xerox workcentre_5632 *
xerox workcentre_5675 *
xerox workcentre_5655 *
xerox workcentre_5645 *
xerox workcentre_5687 *
xerox workcentre_5638 *
xerox workcentre_5665 *
CVE-2010-0549 MEDIUM

Unspecified vulnerability in the Network Controller in Xerox WorkCentre 6400 System Software 060.070.109.11407 through 060.070.109.29510, and Net Controller 060.079.11410 through 060.079.29310, allows remote attackers to access "directory structure" via a crafted PostScript file, aka "Unauthorized Directory Structure Access Vulnerability."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xerox workcentre_6400_system_software 060.070.109.29510
xerox workcentre_6400_net_controller 060.079.29310
xerox workcentre_6400_net_controller 060.079.11410
xerox workcentre_6400_system_software 060.070.109.11407
CVE-2012-0773 HIGH

The NetStream class in Adobe Flash Player before 10.3.183.18 and 11.x before 11.2.202.228 on Windows, Mac OS X, and Linux; Flash Player before 10.3.183.18 and 11.x before 11.2.202.223 on Solaris; Flash Player before 11.1.111.8 on Android 2.x and 3.x; and AIR before 3.2.0.2070 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
adobe flash_player *
xerox freeflow_print_server 8.0
adobe adobe_air *
CVE-2013-0407 MEDIUM

Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Kernel/DTrace Framework.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xerox freeflow_print_server 8.0
sun sunos 5.10
sun sunos 5.11
CVE-2013-0415 MEDIUM

Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the Bind/Postinstall script for Bind package.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xerox freeflow_print_server 8.0
sun sunos 5.10
CVE-2013-6362 MEDIUM

Xerox ColorCube and WorkCenter devices in 2013 had hardcoded FTP and shell user accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
xerox workcentre_7530_firmware 2013
xerox workcentre_7765_firmware 2013
xerox workcentre_7545_firmware 2013
xerox workcentre_7775_firmware 2013
xerox workcentre_7535_firmware 2013
xerox workcentre_7556_firmware 2013
xerox colorqube_9201_firmware 2013
xerox workcentre_7525_firmware 2013
xerox colorqube_9202_firmware 2013
xerox workcentre_6400_firmware 2013
xerox colorqube_9203_firmware 2013
xerox workcentre_7755_firmware 2013
CVE-2014-3138 MEDIUM

SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb/ResultBackgroundJobMultiple/. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
xerox docushare 6.6.1
xerox docushare 6.5.3
CVE-2016-11061 HIGH

Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, and 7970i devices before 073.xxx.086.15410 do not properly escape parameters in the support/remoteUI/configrui.php script, which can allow an unauthenticated attacker to execute OS commands on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
xerox workcentre_7970i_firmware *
xerox workcentre_7220_firmware *
xerox workcentre_5955_firmware *
xerox workcentre_5890_firmware *
xerox workcentre_7845_firmware *
xerox workcentre_7855_firmware *
xerox workcentre_5865i_firmware *
xerox workcentre_7970_firmware *
xerox workcentre_3655_firmware *
xerox workcentre_7835_firmware *
xerox workcentre_5875i_firmware *
xerox workcentre_5955i_firmware *
xerox workcentre_7830_firmware *
xerox workcentre_7225_firmware *
xerox workcentre_6655i_firmware *
xerox workcentre_6655_firmware *
xerox workcentre_3655i_firmware *
xerox workcentre_5945_firmware *
xerox workcentre_5945i_firmware *
xerox workcentre_5865_firmware *
xerox workcentre_7225i_firmware *
xerox workcentre_5875_firmware *
xerox workcentre_5890i_firmware *
xerox workcentre_7200i_firmware *
xerox workcentre_7200_firmware *
CVE-2018-15530 MEDIUM

Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
xerox colorqube_8580_firmware -
CVE-2018-17172 HIGH

The web application on Xerox AltaLink B80xx before 100.008.028.05200, C8030/C8035 before 100.001.028.05200, C8045/C8055 before 100.002.028.05200, and C8070 before 100.003.028.05200 allows unauthenticated command injection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
xerox altalink_b8075_firmware *
xerox altalink_c8030_firmware *
xerox altalink_b8045_firmware *
xerox altalink_c8045_firmware *
xerox altalink_b8055_firmware *
xerox altalink_c8070_firmware *
xerox altalink_b8065_firmware *
xerox altalink_c8035_firmware *
xerox altalink_c8055_firmware *
xerox altalink_b8090_firmware *
CVE-2018-20767 MEDIUM

An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is authenticated remote command execution.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xerox workcentre_7970i_firmware *
xerox workcentre_7830i_firmware *
xerox workcentre_7220_firmware *
xerox workcentre_7855i_firmware *
xerox workcentre_5890_firmware *
xerox workcentre_5845_firmware *
xerox workcentre_7845_firmware *
xerox workcentre_7855_firmware *
xerox workcentre_5900i_firmware *
xerox workcentre_5900_firmware *
xerox workcentre_5865i_firmware *
xerox workcentre_7970_firmware *
xerox workcentre_3655_firmware *
xerox workcentre_7835_firmware *
xerox workcentre_5875i_firmware *
xerox workcentre_7835i_firmware *
xerox workcentre_7830_firmware *
xerox workcentre_7225_firmware *
xerox workcentre_6655i_firmware *
xerox workcentre_6655_firmware *
xerox workcentre_3655i_firmware *
xerox workcentre_7220i_firmware *
xerox workcentre_ec7856_firmware *
xerox workcentre_ec7836_firmware *
xerox workcentre_5865_firmware *
xerox workcentre_7225i_firmware *
xerox workcentre_5875_firmware *
xerox workcentre_5890i_firmware *
xerox workcentre_7845i_firmware *
CVE-2018-20768 HIGH

An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. An attacker can execute PHP code by leveraging a writable file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
xerox workcentre_7970i_firmware *
xerox workcentre_7830i_firmware *
xerox workcentre_7220_firmware *
xerox workcentre_7855i_firmware *
xerox workcentre_5890_firmware *
xerox workcentre_5845_firmware *
xerox workcentre_7845_firmware *
xerox workcentre_7855_firmware *
xerox workcentre_5900i_firmware *
xerox workcentre_5900_firmware *
xerox workcentre_5865i_firmware *
xerox workcentre_7970_firmware *
xerox workcentre_3655_firmware *
xerox workcentre_7835_firmware *
xerox workcentre_5875i_firmware *
xerox workcentre_7835i_firmware *
xerox workcentre_7830_firmware *
xerox workcentre_7225_firmware *
xerox workcentre_6655i_firmware *
xerox workcentre_6655_firmware *
xerox workcentre_3655i_firmware *
xerox workcentre_7220i_firmware *
xerox workcentre_ec7856_firmware *
xerox workcentre_ec7836_firmware *
xerox workcentre_5865_firmware *
xerox workcentre_7225i_firmware *
xerox workcentre_5875_firmware *
xerox workcentre_5890i_firmware *
xerox workcentre_7845i_firmware *
CVE-2018-20769 MEDIUM

An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is a Local File Inclusion vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
xerox workcentre_7970i_firmware *
xerox workcentre_7830i_firmware *
xerox workcentre_7220_firmware *
xerox workcentre_7855i_firmware *
xerox workcentre_5890_firmware *
xerox workcentre_5845_firmware *
xerox workcentre_7845_firmware *
xerox workcentre_7855_firmware *
xerox workcentre_5900i_firmware *
xerox workcentre_5900_firmware *
xerox workcentre_5865i_firmware *
xerox workcentre_7970_firmware *
xerox workcentre_3655_firmware *
xerox workcentre_7835_firmware *
xerox workcentre_5875i_firmware *
xerox workcentre_7835i_firmware *
xerox workcentre_7830_firmware *
xerox workcentre_7225_firmware *
xerox workcentre_6655i_firmware *
xerox workcentre_6655_firmware *
xerox workcentre_3655i_firmware *
xerox workcentre_7220i_firmware *
xerox workcentre_ec7856_firmware *
xerox workcentre_ec7836_firmware *
xerox workcentre_5865_firmware *
xerox workcentre_7225i_firmware *
xerox workcentre_5875_firmware *
xerox workcentre_5890i_firmware *
xerox workcentre_7845i_firmware *
CVE-2018-20770 HIGH

An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is Blind SQL Injection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
xerox workcentre_7970i_firmware *
xerox workcentre_7830i_firmware *
xerox workcentre_7220_firmware *
xerox workcentre_7855i_firmware *
xerox workcentre_5890_firmware *
xerox workcentre_5845_firmware *
xerox workcentre_7845_firmware *
xerox workcentre_7855_firmware *
xerox workcentre_5900i_firmware *
xerox workcentre_5900_firmware *
xerox workcentre_5865i_firmware *
xerox workcentre_7970_firmware *
xerox workcentre_3655_firmware *
xerox workcentre_7835_firmware *
xerox workcentre_5875i_firmware *
xerox workcentre_7835i_firmware *
xerox workcentre_7830_firmware *
xerox workcentre_7225_firmware *
xerox workcentre_6655i_firmware *
xerox workcentre_6655_firmware *
xerox workcentre_3655i_firmware *
xerox workcentre_7220i_firmware *
xerox workcentre_ec7856_firmware *
xerox workcentre_ec7836_firmware *
xerox workcentre_5865_firmware *
xerox workcentre_7225i_firmware *
xerox workcentre_5875_firmware *
xerox workcentre_5890i_firmware *
xerox workcentre_7845i_firmware *
CVE-2018-20771 HIGH

An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is unauthenticated Remote Command Execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xerox workcentre_7970i_firmware *
xerox workcentre_7830i_firmware *
xerox workcentre_7220_firmware *
xerox workcentre_7855i_firmware *
xerox workcentre_5890_firmware *
xerox workcentre_5845_firmware *
xerox workcentre_7845_firmware *
xerox workcentre_7855_firmware *
xerox workcentre_5900i_firmware *
xerox workcentre_5900_firmware *
xerox workcentre_5865i_firmware *
xerox workcentre_7970_firmware *
xerox workcentre_3655_firmware *
xerox workcentre_7835_firmware *
xerox workcentre_5875i_firmware *
xerox workcentre_7835i_firmware *
xerox workcentre_7830_firmware *
xerox workcentre_7225_firmware *
xerox workcentre_6655i_firmware *
xerox workcentre_6655_firmware *
xerox workcentre_3655i_firmware *
xerox workcentre_7220i_firmware *
xerox workcentre_ec7856_firmware *
xerox workcentre_ec7836_firmware *
xerox workcentre_5865_firmware *
xerox workcentre_7225i_firmware *
xerox workcentre_5875_firmware *
xerox workcentre_5890i_firmware *
xerox workcentre_7845i_firmware *
CVE-2019-10880 HIGH

Within multiple XEROX products a vulnerability allows remote command execution on the Linux system, as the "nobody" user through a crafted "HTTP" request (OS Command Injection vulnerability in the HTTP interface). Depending upon configuration authentication may not be necessary.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
xerox colorqube_9302_firmware *
xerox colorqube_8700_firmware *
xerox colorqube_8900_firmware *
xerox colorqube_9301_firmware *
xerox colorqube_9303_firmware *
CVE-2019-10881 HIGH

Xerox AltaLink B8045/B8055/B8065/B8075/B8090, AltaLink C8030/C8035/C8045/C8055/C8070 with software releases before 103.xxx.030.32000 includes two accounts with weak hard-coded passwords which can be exploited and allow unauthorized access which cannot be disabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-259,CWE-798,

Products Affected

Vendor Product Version
xerox altalink_b8075_firmware *
xerox altalink_c8030_firmware *
xerox altalink_b8045_firmware *
xerox altalink_c8045_firmware *
xerox altalink_b8055_firmware *
xerox altalink_c8070_firmware *
xerox altalink_b8065_firmware *
xerox altalink_c8035_firmware *
xerox altalink_c8055_firmware *
xerox altalink_b8090_firmware *
CVE-2019-13165 HIGH

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the request parser of the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
xerox phaser_3320_firmware v53.006.16.000
CVE-2019-13166 MEDIUM

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement account lockout. Local account credentials may be extracted from the device via brute force guessing attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-307,

Products Affected

Vendor Product Version
xerox phaser_3320_firmware v53.006.16.000
CVE-2019-13167 MEDIUM

Multiple Stored XSS vulnerabilities were found in the Xerox Web Application, used by the Phaser 3320 V53.006.16.000 and other printers. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
xerox phaser_3320_firmware v53.006.16.000
CVE-2019-13168 HIGH

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the attributes parser of the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
xerox phaser_3320_firmware v53.006.16.000
CVE-2019-13169 HIGH

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the Content-Type HTTP Header of the web application that would allow an attacker to execute arbitrary code on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
xerox phaser_3320_firmware v53.006.16.000
CVE-2019-13170 MEDIUM

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
xerox phaser_3320_firmware v53.006.16.000
CVE-2019-13171 HIGH

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by one or more stack-based buffer overflow vulnerabilities in the Google Cloud Print implementation that would allow an unauthenticated attacker to execute arbitrary code on the device. This was caused by an insecure handling of the register parameters, because the size used within a memcpy() function, which copied the action value into a local variable, was not checked properly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
xerox phaser_3320_firmware v53.006.16.000
CVE-2019-13172 HIGH

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the Authentication Cookie of the web application that would allow an attacker to execute arbitrary code on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
xerox phaser_3320_firmware v53.006.16.000
CVE-2019-17184 HIGH

Xerox AtlaLink B8045/B8055/B8065/B8075/B8090 C8030/C8035/C8045/C8055/C8070 printers with software before 101.00x.089.22600 allow an attacker to gain privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xerox atlalink_firmware 101.002.089.22600
xerox atlalink_firmware 101.003.089.22600
xerox atlalink_firmware 101.001.089.22600
xerox atlalink_firmware 101.008.089.22600
CVE-2019-18628 MEDIUM

Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open to potential cryptographic information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xerox altalink_b8075_firmware *
xerox altalink_c8030_firmware *
xerox altalink_b8045_firmware *
xerox altalink_c8045_firmware *
xerox altalink_b8055_firmware *
xerox altalink_c8070_firmware *
xerox altalink_b8065_firmware *
xerox altalink_c8035_firmware *
xerox altalink_c8055_firmware *
xerox altalink_b8090_firmware *
CVE-2019-18629 MEDIUM

Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a compromised private key.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xerox altalink_b8075_firmware *
xerox altalink_c8030_firmware *
xerox altalink_b8045_firmware *
xerox altalink_c8045_firmware *
xerox altalink_b8055_firmware *
xerox altalink_c8070_firmware *
xerox altalink_b8065_firmware *
xerox altalink_c8035_firmware *
xerox altalink_c8055_firmware *
xerox altalink_b8090_firmware *
CVE-2019-18630 MEDIUM

On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-312,

Products Affected

Vendor Product Version
xerox altalink_b8075_firmware *
xerox altalink_c8030_firmware *
xerox altalink_b8045_firmware *
xerox altalink_c8045_firmware *
xerox altalink_b8055_firmware *
xerox altalink_c8070_firmware *
xerox altalink_b8065_firmware *
xerox altalink_c8035_firmware *
xerox altalink_c8055_firmware *
xerox altalink_b8090_firmware *
CVE-2019-19832 MEDIUM

Xerox AltaLink C8035 printers allow CSRF. A request to add users is made in the Device User Database form field to the xerox.set URI. (The frmUserName value must have a unique name.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
xerox altalink_c8035_firmware -
CVE-2020-26162 MEDIUM

Xerox WorkCentre EC7836 before 073.050.059.25300 and EC7856 before 073.020.059.25300 devices allow XSS via Description pages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
xerox workcentre_ec7856_firmware *
xerox workcentre_ec7836_firmware *
CVE-2020-36201 MEDIUM

An issue was discovered in certain Xerox WorkCentre products. They do not properly encrypt passwords. This affects 3655, 3655i, 58XX, 58XXi 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
xerox workcentre_7970i_firmware *
xerox workcentre_7830i_firmware *
xerox workcentre_7220_firmware *
xerox workcentre_5955_firmware *
xerox workcentre_7855i_firmware *
xerox workcentre_5890_firmware *
xerox workcentre_7845_firmware *
xerox workcentre_7855_firmware *
xerox workcentre_5865i_firmware *
xerox workcentre_7970_firmware *
xerox workcentre_3655_firmware *
xerox workcentre_7835_firmware *
xerox workcentre_5875i_firmware *
xerox workcentre_5955i_firmware *
xerox workcentre_7835i_firmware *
xerox workcentre_7830_firmware *
xerox workcentre_7225_firmware *
xerox workcentre_6655i_firmware *
xerox workcentre_6655_firmware *
xerox workcentre_3655i_firmware *
xerox workcentre_7220i_firmware *
xerox workcentre_ec7856_firmware *
xerox workcentre_ec7836_firmware *
xerox workcentre_5945_firmware *
xerox workcentre_5945i_firmware *
xerox workcentre_5865_firmware *
xerox workcentre_7225i_firmware *
xerox workcentre_5875_firmware *
xerox workcentre_5890i_firmware *
xerox workcentre_7845i_firmware *
CVE-2020-9330 MEDIUM

Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP address to a system owned by the actor without knowledge of the LDAP bind credentials. After changing the LDAP connection IP address, subsequent authentication attempts will result in the printer sending plaintext LDAP (Active Directory) credentials to the actor. Although the credentials may belong to a non-privileged user, organizations frequently use privileged service accounts to bind to Active Directory. The attacker gains a foothold on the Active Directory domain at a minimum, and may use the credentials to take over control of the Active Directory domain. This affects 3655*, 3655i*, 58XX*, 58XXi*, 59XX*, 59XXi*, 6655**, 6655i**, 72XX*, 72XXi*, 78XX**, 78XXi**, 7970**, 7970i**, EC7836**, and EC7856** devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
xerox workcentre_7970i_firmware *
xerox workcentre_7220_firmware *
xerox workcentre_5955_firmware *
xerox workcentre_6655i_firmware *
xerox workcentre_5845_firmware *
xerox workcentre_7845_firmware *
xerox workcentre_5855_firmware *
xerox workcentre_6655_firmware *
xerox workcentre_3655i_firmware *
xerox workcentre_7855_firmware *
xerox workcentre_ec7856_firmware *
xerox workcentre_ec7836_firmware *
xerox workcentre_5945_firmware *
xerox workcentre_7970_firmware *
xerox workcentre_3655_firmware *
xerox workcentre_7835_firmware *
xerox workcentre_7830_firmware *
xerox workcentre_7225_firmware *
CVE-2021-28668 HIGH

Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 has several SQL injection vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
xerox altalink_b8075_firmware *
xerox altalink_c8030_firmware *
xerox altalink_b8045_firmware *
xerox altalink_c8045_firmware *
xerox altalink_b8055_firmware *
xerox altalink_c8070_firmware *
xerox altalink_b8065_firmware *
xerox altalink_c8035_firmware *
xerox altalink_c8055_firmware *
xerox altalink_b8090_firmware *
CVE-2021-28669 MEDIUM

Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 provide the ability to set configuration attributes without administrative rights.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
xerox altalink_b8075_firmware *
xerox altalink_c8030_firmware *
xerox altalink_b8045_firmware *
xerox altalink_c8045_firmware *
xerox altalink_b8055_firmware *
xerox altalink_c8070_firmware *
xerox altalink_b8065_firmware *
xerox altalink_c8035_firmware *
xerox altalink_c8055_firmware *
xerox altalink_b8090_firmware *
CVE-2021-28670 MEDIUM

Xerox AltaLink B8045/B8090 before 103.008.030.32000, C8030/C8035 before 103.001.030.32000, C8045/C8055 before 103.002.030.32000 and C8070 before 103.003.030.32000 allow unauthorized users, by leveraging the Scan To Mailbox feature, to delete arbitrary files from the disk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xerox altalink_b8075_firmware *
xerox altalink_c8030_firmware *
xerox altalink_b8045_firmware *
xerox altalink_c8045_firmware *
xerox altalink_b8055_firmware *
xerox altalink_c8070_firmware *
xerox altalink_b8065_firmware *
xerox altalink_c8035_firmware *
xerox altalink_c8055_firmware *
xerox altalink_b8090_firmware *
CVE-2021-28671 HIGH

Xerox Phaser 6510 before 64.65.51 and 64.59.11 (Bridge), WorkCentre 6515 before 65.65.51 and 65.59.11 (Bridge), VersaLink B400 before 37.65.51 and 37.59.01 (Bridge), B405 before 38.65.51 and 38.59.01 (Bridge), B600/B610 before 32.65.51 and 32.59.01 (Bridge), B605/B615 before 33.65.51 and 33.59.01 (Bridge), B7025/30/35 before 58.65.51 and 58.59.11 (Bridge), C400 before 67.65.51 and 67.59.01 (Bridge), C405 before 68.65.51 and 68.59.01 (Bridge), C500/C600 before 61.65.51 and 61.59.01 (Bridge), C505/C605 before 62.65.51 and 62.59.01 (Bridge), C7000 before 56.65.51 and 56.59.01 (Bridge), C7020/25/30 before 57.65.51 and 57.59.01 (Bridge), C8000/C9000 before 70.65.51 and 70.59.01 (Bridge), C8000W before 72.65.51 have a remote Command Execution vulnerability in the Web User Interface that allows remote attackers with "a weaponized clone file" to execute arbitrary commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xerox versalink_b7025_firmware *
xerox versalink_c400_firmware *
xerox versalink_c500_firmware *
xerox phaser_6510_firmware *
xerox versalink_c7020_firmware *
xerox versalink_b400_firmware *
xerox versalink_b605_firmware *
xerox versalink_b615_firmware *
xerox versalink_c7030_firmware *
xerox workcentre_6515_firmware *
xerox versalink_b7030_firmware *
xerox versalink_c8000w_firmware *
xerox versalink_c8000_firmware *
xerox versalink_c7000_firmware *
xerox versalink_b7035_firmware *
xerox versalink_c7025_firmware *
xerox versalink_c9000_firmware *
xerox versalink_b610_firmware *
xerox versalink_c600_firmware *
xerox versalink_c605_firmware *
xerox versalink_b405_firmware *
xerox versalink_c405_firmware *
xerox versalink_b600_firmware *
xerox versalink_c505_firmware *
CVE-2021-28672 HIGH

Xerox Phaser 6510 before 64.65.51 and 64.59.11 (Bridge), WorkCentre 6515 before 65.65.51 and 65.59.11 (Bridge), VersaLink B400 before 37.65.51 and 37.59.01 (Bridge), B405 before 38.65.51 and 38.59.01 (Bridge), B600/B610 before 32.65.51 and 32.59.01 (Bridge), B605/B615 before 33.65.51 and 33.59.01 (Bridge), B7025/30/35 before 58.65.51 and 58.59.11 (Bridge), C400 before 67.65.51 and 67.59.01 (Bridge), C405 before 68.65.51 and 68.59.01 (Bridge), C500/C600 before 61.65.51 and 61.59.01 (Bridge), C505/C605 before 62.65.51 and 62.59.01 (Bridge), C7000 before 56.65.51 and 56.59.01 (Bridge), C7020/25/30 before 57.65.51 and 57.59.01 (Bridge), C8000/C9000 before 70.65.51 and 70.59.01 (Bridge), C8000W before 72.65.51 allows remote attackers to execute arbitrary code through a buffer overflow in Web page parameter handling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
xerox versalink_b7025_firmware *
xerox versalink_c400_firmware *
xerox versalink_c500_firmware *
xerox phaser_6510_firmware *
xerox versalink_c7020_firmware *
xerox versalink_b400_firmware *
xerox versalink_b605_firmware *
xerox versalink_b615_firmware *
xerox versalink_c7030_firmware *
xerox workcentre_6515_firmware *
xerox versalink_b7030_firmware *
xerox versalink_c8000w_firmware *
xerox versalink_c8000_firmware *
xerox versalink_c7000_firmware *
xerox versalink_b7035_firmware *
xerox versalink_c7025_firmware *
xerox versalink_c9000_firmware *
xerox versalink_b610_firmware *
xerox versalink_c600_firmware *
xerox versalink_c605_firmware *
xerox versalink_b405_firmware *
xerox versalink_c405_firmware *
xerox versalink_b600_firmware *
xerox versalink_c505_firmware *
CVE-2021-28673 HIGH

Xerox Phaser 6510 before 64.61.23 and 64.59.11 (Bridge), WorkCentre 6515 before 65.61.23 and 65.59.11 (Bridge), VersaLink B400 before 37.61.23 and 37.59.01 (Bridge), B405 before 38.61.23 and 38.59.01 (Bridge), B600/B610 before 32.61.23 and 32.59.01 (Bridge), B605/B615 before 33.61.23 and 33.59.01 (Bridge), B7025/30/35 before 58.61.23 and 58.59.11 (Bridge), C400 before 67.61.23 and 67.59.01 (Bridge), C405 before 68.61.23 and 68.59.01 (Bridge), C500/C600 before 61.61.23 and 61.59.01 (Bridge), C505/C605 before 62.61.23 and 62.59.11 (Bridge), C7000 before 56.61.23 and 56.59.01 (Bridge), C7020/25/30 before 57.61.23 and 57.59.01 (Bridge), C8000/C9000 before 70.61.23 and 70.59.01 (Bridge), allows remote attackers with "a weaponized clone file" to execute arbitrary commands in the Web User Interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xerox workcentre_6515_firmware *
xerox versalink_b7025_firmware *
xerox versalink_b7030_firmware *
xerox versalink_c400_firmware *
xerox versalink_c8000_firmware *
xerox versalink_c7000_firmware *
xerox versalink_c500_firmware *
xerox versalink_b7035_firmware *
xerox phaser_6510_firmware *
xerox versalink_c7020_firmware *
xerox versalink_b400_firmware *
xerox versalink_c7025_firmware *
xerox versalink_c9000_firmware *
xerox versalink_b605_firmware *
xerox versalink_b610_firmware *
xerox versalink_c600_firmware *
xerox versalink_c605_firmware *
xerox versalink_b615_firmware *
xerox versalink_b405_firmware *
xerox versalink_c7030_firmware *
xerox versalink_c405_firmware *
xerox versalink_b600_firmware *
xerox versalink_c505_firmware *
CVE-2021-37354 HIGH

Xerox Phaser 4622 v35.013.01.000 was discovered to contain a buffer overflow in the function sub_3226AC via the TIMEZONE variable. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
xerox phaser_4622_firmware 35.013.01.000
CVE-2022-23320 MEDIUM

XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries. Since the application ships with default administrative credentials, an attacker may authenticate into the application and exfiltrate sensitive information from the database.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
xerox xmpie_ustore 12.3.7244.0
CVE-2022-23321 LOW

A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
xerox xmpie_ustore 12.3.7244.0
CVE-2022-23968 HIGH

Xerox VersaLink devices on specific versions of firmware before 2022-01-26 allow remote attackers to brick the device via a crafted TIFF file in an unauthenticated HTTP POST request. There is a permanent denial of service because image parsing causes a reboot, but image parsing is restarted as soon as the boot process finishes. However, this boot loop can be resolved by a field technician. The TIFF file must have an incomplete Image Directory. Affected firmware versions include xx.42.01 and xx.50.61. NOTE: the 2022-01-24 NeoSmart article included "believed to affect all previous and later versions as of the date of this posting" but a 2022-01-26 vendor statement reports "the latest versions of firmware are not vulnerable to this issue."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-835,

Products Affected

Vendor Product Version
xerox versalink_firmware *
CVE-2022-26572 MEDIUM

Xerox ColorQube 8580 was discovered to contain an access control issue which allows attackers to print, view the status, and obtain sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xerox colorqube_8580_firmware -
CVE-2022-45897

On Xerox WorkCentre 3550 25.003.03.000 devices, an authenticated attacker can view the SMB server settings and can obtain the stored cleartext credentials associated with those settings.

Products Affected

Vendor Product Version
xerox workcentre_3550_firmware 25.003.03.000
CVE-2023-46327

Multiple MFPs (multifunction printers) provided by FUJIFILM Business Innovation Corp. and Xerox Corporation provide a facility to export the contents of their Address Book with encrypted form, but the encryption strength is insufficient. With the knowledge of the encryption process and the encryption key, the information such as the server credentials may be obtained from the exported Address Book data. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
fujifilm apeos_6580_firmware *
fujifilm apeosport_4570_firmware *
xerox primelink_b9100_firmware *
xerox versalink_c7125_firmware *
fujifilm apeos_2560_gk_firmware *
fujifilm apeos_c2560_gk_firmware *
fujifilm apeosport_c6570_firmware *
fujifilm apeos_c3060_gk_firmware *
fujifilm apeosport_3060_g_firmware *
fujifilm apeos_c4030_firmware *
xerox primelink_b9110_firmware *
fujifilm apeos_3060_gk_firmware *
xerox primelink_c9065_firmware *
fujifilm apeosport_5570_firmware *
fujifilm apeosport_3060_firmware *
xerox versalink_b605_firmware *
fujifilm apeos_4570_firmware *
fujifilm apeosport_3570_firmware *
fujifilm apeos_c6580_firmware *
xerox versalink_c7030_firmware *
fujifilm apeosport-vii_5021_firmware *
fujifilm revoria_press_e1136_firmware *
fujifilm apeosport_c3060_g_firmware *
fujifilm primelink_c9070_firmware *
xerox workcentre_6515_firmware *
fujifilm apeosport_4570_g_firmware *
fujifilm apeos_5570_firmware *
fujifilm apeosport_c2560_firmware *
fujifilm apeos_3560_firmware *
fujifilm apeosport_3560_g_firmware *
xerox versalink_c7025_firmware *
fujifilm apeosport_5570_g_firmware *
fujifilm apeosport_c3060_firmware *
fujifilm apeos_6340_firmware *
fujifilm apeosport_c4570_firmware *
xerox versalink_c605_firmware *
xerox versalink_b7125_firmware *
fujifilm apeosport_c3070_firmware *
fujifilm apeos_c4570_firmware *
fujifilm apeosport-vii_c3321_firmware *
fujifilm apeos_c2060_firmware *
xerox versalink_c405_firmware *
fujifilm apeosport_c5570_firmware *
fujifilm apeos_c5570_firmware *
fujifilm apeosport_c7070_firmware *
fujifilm apeospro_c650_firmware *
fujifilm revoria_press_e1100_firmware *
fujifilm apeos_c7580_firmware *
xerox versalink_c505_firmware *
fujifilm apeos_4830_firmware *
fujifilm apeos_c2560_firmware *
fujifilm apeos_c5240_firmware *
xerox primelink_c9070_firmware *
fujifilm apeosport_c3570_firmware *
xerox versalink_c7120_firmware *
fujifilm apeosport_2560_firmware *
fujifilm apeospro_c810_firmware *
fujifilm apeos_c3060_firmware *
fujifilm apeos_5330_firmware *
xerox versalink_c7020_firmware *
fujifilm apeosport-vii_4021_firmware *
fujifilm apeos_3560_gk_firmware *
fujifilm apeos_2560_firmware *
fujifilm apeosport_3560_firmware *
fujifilm apeos_c6570_firmware *
xerox primelink_b9136_firmware *
xerox versalink_b7130_firmware *
fujifilm apeos_c8180_firmware *
xerox versalink_c7130_firmware *
fujifilm apeosport_c2560_g_firmware *
xerox versalink_b615_firmware *
fujifilm apeos_c7070_firmware *
fujifilm apeospro_c750_firmware *
fujifilm apeos_c3530_firmware *
xerox versalink_b7135_firmware *
fujifilm apeos_7580_firmware *
fujifilm revoria_press_sc180_firmware *
fujifilm revoria_press_sc170_firmware *
xerox primelink_b9125_firmware *
xerox versalink_c7000_firmware *
fujifilm revoria_press_e1125_firmware *
fujifilm apeosport_c2060_g_firmware *
fujifilm revoria_press_e1110_firmware *
fujifilm apeosport-vii_c4421_firmware *
fujifilm apeos_c2060_gk_firmware *
fujifilm primelink_c9065_firmware *
fujifilm apeos_c3570_firmware *
fujifilm apeosport_c2060_firmware *
fujifilm apeosport_2560_g_firmware *
xerox versalink_b405_firmware *
fujifilm apeos_c2570_firmware *
fujifilm apeos_c3070_firmware *
fujifilm apeos_3060_firmware *
CVE-2024-55925

In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gain unauthorized access. This exploit targets improper host validation, potentially exposing sensitive API endpoints.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
xerox workplace_suite *
CVE-2024-55926

A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
xerox workplace_suite *
CVE-2024-55927

A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
xerox workplace_suite *
CVE-2024-55928

Xerox Workplace Suite exposes sensitive secrets in clear text, both locally and remotely. This vulnerability allows attackers to intercept or access secrets without encryption

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
xerox workplace_suite *
CVE-2024-55929

A mail spoofing vulnerability in Xerox Workplace Suite allows attackers to forge email headers, making it appear as though messages are sent from trusted sources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
xerox workplace_suite *
CVE-2024-55930

Xerox Workplace Suite has weak default folder permissions that allow unauthorized users to access, modify, or delete files

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
xerox workplace_suite *
CVE-2024-55931

Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user's session is compromised.  The patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
xerox workplace_suite *
CVE-2025-8355

In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
xerox freeflow_core 8.0.4
CVE-2025-8356

In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
xerox freeflow_core 8.0.4
CVE-2026-1769

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xerox CentreWare on Windows allows Stored XSS.This issue affects CentreWare: through 7.0.6.  Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 5.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N 1.0 4.2

Products Affected

Vendor Product Version
xerox centreware_web *
CVE-2026-2251

Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads https://www.support.xerox.com/en-us/product/core/downloads

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
xerox freeflow_core *
CVE-2026-2252

An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7.  Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on -  https://www.support.xerox.com/en-us/product/core/downloads

CVSS 3.x

Source Score Severity Vector Exploitability Impact
10b61619-3869-496c-8a1e-f291b0e71e3f 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
xerox freeflow_core *