CVE-2019-10880

Summary

Within multiple XEROX products a vulnerability allows remote command execution on the Linux system, as the "nobody" user through a crafted "HTTP" request (OS Command Injection vulnerability in the HTTP interface). Depending upon configuration authentication may not be necessary.

Affected Software

VendorProductVersion RangeStatus
XEROXAltaLink B8045/B8055/B8065/B8075/B8090unspecified <= 101.008.008.27400unknown
XEROXAltaLink C8030/C8035/C8045/C8055/C8070unspecified <= 101.001.008.27400unknown
XEROXWorkCentre 3655unspecified <= 073.060.075.34540unknown
XEROXWorkCentre 5845/5855/5865/5875/5890unspecified <= 073.190.075.34540unknown
XEROXWorkCentre 5945/5955unspecified <= 073.091.075.34540unknown
XEROXWorkCentre 6655unspecified <= 073.110.075.34540unknown
XEROXWorkCentre 7220/7225unspecified <= 073.030.075.34540unknown
XEROXWorkCentre 7830/7835/7845/7855unspecified <= 073.010.075.34540unknown
XEROXWorkCentre 7970unspecified <= 073.200.075.34540unknown
XEROXWorkCentre EC7836/EC7856unspecified <= 073.020.167.17200unknown
XEROXColorQube 9301/9302/9303unspecified < 072.xxx.009.07200affected
XEROXColorQube 8700/8900unspecified < 072.xxx.009.07200affected
XEROXWorkCentre 6400unspecified <= 061.070.100.24201unknown
XEROXPhaser 6700unspecified <= 081.140.103.22600unknown
XEROXPhaser 7800unspecified <= 081.150.103.05600unknown
XEROXWorkCentre 5735/5740/5745/5755/5765/5775/5790unspecified <= 061.132.221.21403unknown
XEROXWorkCentre 7525/7530/7535/7545/7556unspecified <= 061.121.224.18803unknown
XEROXWorkCentre 7755/7765/7775unspecified <= 061.090.220.19700unknown

Weaknesses

  • CWE-78: CWE-78 OS Command Injection

Workarounds

There are no known workarounds for now available.

ADP Enrichment

CVE Program Container

Additional References

References