{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-55926","assignerOrgId":"10b61619-3869-496c-8a1e-f291b0e71e3f","state":"PUBLISHED","assignerShortName":"Xerox","dateReserved":"2024-12-13T14:30:30.206Z","datePublished":"2025-01-23T17:12:21.371Z","dateUpdated":"2025-02-24T17:11:02.567Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unknown","platforms":["Windows"],"product":"Xerox Workplace Suite","vendor":"Xerox","versions":[{"lessThan":"5.6.701.9","status":"affected","version":"0","versionType":"custom"}]}],"datePublic":"2025-01-23T17:05:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data"}],"value":"A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data"}],"impacts":[{"capecId":"CAPEC-165","descriptions":[{"lang":"en","value":"CAPEC-165 File Manipulation"}]},{"capecId":"CAPEC-126","descriptions":[{"lang":"en","value":"CAPEC-126 Path Traversal"}]},{"capecId":"CAPEC-78","descriptions":[{"lang":"en","value":"CAPEC-78 Using Escaped Slashes in Alternate Encoding"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.6,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-434","description":"CWE-434 Unrestricted Upload of File with Dangerous Type","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-22","description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"10b61619-3869-496c-8a1e-f291b0e71e3f","shortName":"Xerox","dateUpdated":"2025-02-24T17:11:02.567Z"},"references":[{"url":"https://securitydocs.business.xerox.com/wp-content/uploads/2025/01/Xerox-Security-Bulletin-XRX25-002-for-Xerox%C2%AE-WorkplaceSuite%C2%AE.pdf"}],"source":{"discovery":"UNKNOWN"},"title":"Arbitrary file upload, deletion and read through header manipulation","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-01-23T18:58:12.443714Z","id":"CVE-2024-55926","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-01-23T18:58:27.492Z"}}]}}