CVE-2019-10880
CRITICALXerox ColorQube 8700/8900/9301/9302/9303 Firmware - OS Command Injection via HTTP Interface
Title source: llmDescription
Within multiple XEROX products a vulnerability allows remote command execution on the Linux system, as the "nobody" user through a crafted "HTTP" request (OS Command Injection vulnerability in the HTTP interface). Depending upon configuration authentication may not be necessary.
References (2)
Core 2
Core References
Not Applicable x_refsource_misc
https://airbus-seclab.github.io/
Vendor Advisory x_refsource_confirm
https://securitydocs.business.xerox.com/wp-content/uploads/2019/04/cert_Security_Mini_Bulletin_XRX19C_for_CQ8700_CQ8900_CQ93xx.pdf
Scores
CVSS v3
9.8
EPSS
0.0847
EPSS Percentile
94.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (5)
xerox/colorqube_8700_firmware
< 072.161.009.07200
xerox/colorqube_8900_firmware
< 072.161.009.07200
xerox/colorqube_9301_firmware
< 072.180.009.07200
xerox/colorqube_9302_firmware
< 072.180.009.07200
xerox/colorqube_9303_firmware
< 072.180.009.07200
Published
Apr 12, 2019
Tracked Since
Feb 18, 2026