CVE-2019-10880

Published: Apr 12, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Within multiple XEROX products a vulnerability allows remote command execution on the Linux system, as the "nobody" user through a crafted "HTTP" request (OS Command Injection vulnerability in the HTTP interface). Depending upon configuration authentication may not be necessary.

Affected (5)

Products: Xerox: Colorqube 8700 Firmware, Colorqube 8900 Firmware, Colorqube 9301 Firmware, Colorqube 9302 Firmware, Colorqube 9303 Firmware

Xerox

5 products

Colorqube 8700 Firmware

Colorqube 8900 Firmware

Colorqube 9301 Firmware

Colorqube 9302 Firmware

Colorqube 9303 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Xerox Colorqube 8700 Firmware	Before 072.161.009.07200

Running on/with	Platform Versions
Xerox Colorqube 8700	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Xerox Colorqube 8900 Firmware	Before 072.161.009.07200

Running on/with	Platform Versions
Xerox Colorqube 8900	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Xerox Colorqube 9301 Firmware	Before 072.180.009.07200

Running on/with	Platform Versions
Xerox Colorqube 9301	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Xerox Colorqube 9302 Firmware	Before 072.180.009.07200

Running on/with	Platform Versions
Xerox Colorqube 9302	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Xerox Colorqube 9303 Firmware	Before 072.180.009.07200

Running on/with	Platform Versions
Xerox Colorqube 9303	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://airbus-seclab.github.io/

Source: cert@airbus.com

Not Applicable

https://securitydocs.business.xerox.com/wp-content/uploads/2019/04/cert_Security_Mini_Bulletin_XRX19C_for_CQ8700_CQ8900_CQ93xx.pdf

Source: cert@airbus.com

Vendor Advisory

https://airbus-seclab.github.io/

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

https://securitydocs.business.xerox.com/wp-content/uploads/2019/04/cert_Security_Mini_Bulletin_XRX19C_for_CQ8700_CQ8900_CQ93xx.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.