CVE-2019-10880 Information

Description

Within multiple XEROX products a vulnerability allows remote command execution on the Linux system as the \nobody\ user through a crafted \HTTP\ request (OS Command Injection vulnerability in the HTTP interface). Depending upon configuration authentication may not be necessary.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://airbus-seclab.github.io/ https://securitydocs.business.xerox.com/wp-content/uploads/2019/04/cert_Security_Mini_Bulletin_XRX19C_for_CQ8700_CQ8900_CQ93xx.pdf

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8