Quote:Xerox issued a fix for two vulnerabilities impacting its market-leading DocuShare enterprise document management platform. The bugs, if exploited, could expose DocuShare users to an attack resulting in the loss of sensitive data.
 
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security bulletin urging users and administrators to apply a patch that plugged two security holes in recently released versions (6.6.1, 7.0, and 7.5) of Xerox’s DocuShare. The vulnerability is rated important.
 
Tracked as CVE-2020-27177, Xerox said the vulnerabilities open Solaris, Linux and Windows DucuShare users up to both a server-side request forgery (SSRF) attack and an unauthenticated external XML entity injection attack (XXE). Xerox issued its security advisory (XRX20W) on November 30.
 
Xerox did not share the specifics of the bugs or possible attack scenarios. In its “Mini Bulletin” it offered links to hotfix links to tarball files addressing bugs in affected versions of Solaris, Linux and Windows DocuShare.
However, a hotfix for the Solaris version of DocuShare 7.5 is not available. Xerox did not return press inquiries ahead of this published news article.