Vulnerabilities (CVE)

Filtered by vendor Xerox Subscribe
Total 103 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-13170 1 Xerox 2 Phaser 3320, Phaser 3320 Firmware 2024-02-04 4.3 MEDIUM 6.5 MEDIUM
Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.
CVE-2019-13171 1 Xerox 2 Phaser 3320, Phaser 3320 Firmware 2024-02-04 10.0 HIGH 9.8 CRITICAL
Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by one or more stack-based buffer overflow vulnerabilities in the Google Cloud Print implementation that would allow an unauthenticated attacker to execute arbitrary code on the device. This was caused by an insecure handling of the register parameters, because the size used within a memcpy() function, which copied the action value into a local variable, was not checked properly.
CVE-2019-13165 1 Xerox 2 Phaser 3320, Phaser 3320 Firmware 2024-02-04 10.0 HIGH 9.8 CRITICAL
Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the request parser of the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.
CVE-2019-13167 1 Xerox 2 Phaser 3320, Phaser 3320 Firmware 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
Multiple Stored XSS vulnerabilities were found in the Xerox Web Application, used by the Phaser 3320 V53.006.16.000 and other printers. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.
CVE-2019-13166 1 Xerox 2 Phaser 3320, Phaser 3320 Firmware 2024-02-04 5.0 MEDIUM 7.5 HIGH
Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement account lockout. Local account credentials may be extracted from the device via brute force guessing attacks.
CVE-2019-13168 1 Xerox 2 Phaser 3320, Phaser 3320 Firmware 2024-02-04 10.0 HIGH 9.8 CRITICAL
Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the attributes parser of the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.
CVE-2019-13169 1 Xerox 2 Phaser 3320, Phaser 3320 Firmware 2024-02-04 10.0 HIGH 9.8 CRITICAL
Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the Content-Type HTTP Header of the web application that would allow an attacker to execute arbitrary code on the device.
CVE-2019-17184 1 Xerox 11 Atlalink B8045, Atlalink B8055, Atlalink B8065 and 8 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
Xerox AtlaLink B8045/B8055/B8065/B8075/B8090 C8030/C8035/C8045/C8055/C8070 printers with software before 101.00x.089.22600 allow an attacker to gain privileges.
CVE-2013-6362 1 Xerox 24 Colorqube 9201, Colorqube 9201 Firmware, Colorqube 9202 and 21 more 2024-02-04 5.0 MEDIUM 9.8 CRITICAL
Xerox ColorCube and WorkCenter devices in 2013 had hardcoded FTP and shell user accounts.
CVE-2020-9330 1 Xerox 36 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 33 more 2024-02-04 4.0 MEDIUM 8.8 HIGH
Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP address to a system owned by the actor without knowledge of the LDAP bind credentials. After changing the LDAP connection IP address, subsequent authentication attempts will result in the printer sending plaintext LDAP (Active Directory) credentials to the actor. Although the credentials may belong to a non-privileged user, organizations frequently use privileged service accounts to bind to Active Directory. The attacker gains a foothold on the Active Directory domain at a minimum, and may use the credentials to take over control of the Active Directory domain. This affects 3655*, 3655i*, 58XX*, 58XXi*, 59XX*, 59XXi*, 6655**, 6655i**, 72XX*, 72XXi*, 78XX**, 78XXi**, 7970**, 7970i**, EC7836**, and EC7856** devices.
CVE-2019-19832 1 Xerox 2 Altalink C8035, Altalink C8035 Firmware 2024-02-04 6.8 MEDIUM 8.8 HIGH
Xerox AltaLink C8035 printers allow CSRF. A request to add users is made in the Device User Database form field to the xerox.set URI. (The frmUserName value must have a unique name.)
CVE-2018-15530 1 Xerox 2 Colorqube 8580, Colorqube 8580 Firmware 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code.
CVE-2019-10880 1 Xerox 10 Colorqube 8700, Colorqube 8700 Firmware, Colorqube 8900 and 7 more 2024-02-04 10.0 HIGH 9.8 CRITICAL
Within multiple XEROX products a vulnerability allows remote command execution on the Linux system, as the "nobody" user through a crafted "HTTP" request (OS Command Injection vulnerability in the HTTP interface). Depending upon configuration authentication may not be necessary.
CVE-2018-20768 1 Xerox 58 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 55 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. An attacker can execute PHP code by leveraging a writable file.
CVE-2018-20770 1 Xerox 58 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 55 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is Blind SQL Injection.
CVE-2018-20767 1 Xerox 58 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 55 more 2024-02-04 6.5 MEDIUM 8.8 HIGH
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is authenticated remote command execution.
CVE-2018-20771 1 Xerox 58 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 55 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is unauthenticated Remote Command Execution.
CVE-2018-20769 1 Xerox 58 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 55 more 2024-02-04 5.0 MEDIUM 7.5 HIGH
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is a Local File Inclusion vulnerability.
CVE-2018-17172 1 Xerox 20 Altalink B8045, Altalink B8045 Firmware, Altalink B8055 and 17 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
The web application on Xerox AltaLink B80xx before 100.008.028.05200, C8030/C8035 before 100.001.028.05200, C8045/C8055 before 100.002.028.05200, and C8070 before 100.003.028.05200 allows unauthenticated command injection.
CVE-2014-3138 1 Xerox 1 Docushare 2024-02-04 6.5 MEDIUM N/A
SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hotfix 2, 6.6.1 Update 1 before Hotfix 24, and 6.6.1 Update 2 before Hotfix 3 allows remote authenticated users to execute arbitrary SQL commands via the PATH_INFO to /docushare/dsweb/ResultBackgroundJobMultiple/. NOTE: some of these details are obtained from third party information.