|
|
>> Xerox WorkCentre Multiple Remote Code Execution and Security Bypass Vulnerabilities
|
|
Multiple vulnerabilities have been identified in Xerox WorkCentre, which could be exploited by attackers to execute arbitrary commands, bypass restrictions, and disclose sensitive information.
The first issue is due to input validation errors in the Web User Interface (WebUI) that does not validate the TCP/IP hostname, Scan-to-mailbox folder name field, and Microsoft Networking configuration parameters, which could be exploited by attackers to inject arbitrary commands.
The second issue is due to an error in browser permissions, which could be exploited by attackers to gain unauthorized access to a vulnerable device.
The third vulnerability is due to an error in the TFTP/BOOTP auto configuration option, which could allow unauthorized configuration of settings.
The fourth flaw is due to an error within the signature of email messages, which could be exploited to display improper items.
The fifth vulnerability is due to an error in the "scan-to-mailbox" feature, which could be exploited by unauthenticated attackers to retrieve secure files anonymously.
The sixth issue is due to an error in the web services where requests can be made using HTTP instead of HTTPS.
The seventh bug is due to an error in the device that does not keep accurate time, which could cause incorrect time stamps to be present in audit log files.
Credits
Vulnerabilities reported by the vendor
ChangeLog
2006-11-30 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
