Xerox DocuShare (6.6.1, 7.0 and 7.5) involves potential data leakage vulnerabilities (3rd Dec 2020)

Preface: The official announcement did not mentioned too much. Do you have doubt of CVE-2020-27177 (Xerox DocuShare vulnerability)?

Product details: DocuShare Scan and Print 7 (hereafter, Scan and Print) is a feature which allows you to print documents uploaded to DocuShare, or upload scanned documents to DocuShare. DocuShare security features protect content from unauthorized access and modification. These features are available to both the site administrator and users, enabling them to apply the level of protection needed for their site.

Vulnerability details: When applications use XML to transport data between browser and server, the applications almost always use a a standard API for processing the XML on the server. Vulnerabilities arise because parsers will, by default, process potentially dangerous features. DocuShare server encountered server-side request forgery (SSRF) attacks and unauthenticated external XML entity injection attacks (XXE). The overall impact could expose DocuShare users to an attack resulting in the loss of sensitive data. Meanwhile, Docushare server had server-side request forgery vulnerability occur. SSRF can cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure. The serious of impact depends on trust relationship in between both end.

Official announcement – https://securitydocs.business.xerox.com/wp-content/uploads/2020/11/cert_Security_Mini_Bulletin_XRX20W_for-DocuShare-6.61_7.0_7.5.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.