Security Vulnerabilities - CVEs Published In January 2025
A mail spoofing vulnerability in Xerox Workplace Suite allows attackers to forge email headers, making it appear as though messages are sent from trusted sources.
CVSS Score
5.3
EPSS Score
0.003
Published
2025-01-23
Xerox Workplace Suite has weak default folder permissions that allow unauthorized users to access, modify, or delete files
CVSS Score
6.7
EPSS Score
0.001
Published
2025-01-23
A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data
CVSS Score
7.6
EPSS Score
0.005
Published
2025-01-23
A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions.
CVSS Score
7.6
EPSS Score
0.002
Published
2025-01-23
IBM Security Verify Bridge 1.0.0 through 1.0.15 could allow a local privileged user to overwrite files due to excessive privileges granted to the agent. which could also cause a denial of service.
CVSS Score
6.0
EPSS Score
0.0
Published
2025-01-23
In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gain unauthorized access. This exploit targets improper host validation, potentially exposing sensitive API endpoints.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-01-23
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
CVSS Score
1.8
EPSS Score
0.0
Published
2025-01-23
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
CVSS Score
9.5
EPSS Score
0.007
Published
2025-01-23
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
CVSS Score
9.5
EPSS Score
0.007
Published
2025-01-23
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
CVSS Score
7.7
EPSS Score
0.001
Published
2025-01-23