Published:2025/01/08 Last Updated:2025/01/08
JVNVU#99901190
Multiple vulnerabilities in FUJIFILM Business Innovation Xerox FreeFlow Core
Overview
Xerox FreeFlow Core, part of the Xerox FreeFlow Digital Workflow Collection provided by FUJIFILM Business Innovation Corp. contains multiple vulnerabilities.
Products Affected
- Xerox FreeFlow Core 7.0.0 to 7.0.10
Description
Xerox FreeFlow Core, part of the Xerox FreeFlow Digital Workflow Collection provided by FUJIFILM Business Innovation Corp. contains multiple vulnerabilities listed below.
- Missing authentication for critical function (CWE-306)
- CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score 8.3
- CVE-2024-47555
- Improper limitation of a pathname to a restricted directory ('Path Traversal') (CWE-22)
- CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score 8.3
- CVE-2024-47556, CVE-2024-47557
- Improper limitation of a pathname to a restricted directory ('Path Traversal') (CWE-22)
- CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Base Score 7.6
- CVE-2024-47558, CVE-2024-47559
Impact
The vulnerabilities may be leveraged to execute arbitrary code on the affected product.
Solution
Apply the patch
Apply the "Xerox FreeFlow Core 7.0.11 Patch Module" which addresses these vulnerabilities.
For more information, refer to the information provided by the developer.
Vendor Status
| Vendor | Link |
| FUJIFILM Business Innovation Corp. | Notification about the vulnerability in Xerox FreeFlow Core |
| Xerox Corporation | XRX24-014 CVE-2024-47555 CVE-2024-47556/CVE-2024-47557 CVE-2024-47558/CVE-2024-47559 Xerox FreeFlow Core v7.0 (PDF) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
FUJIFILM Business Innovation Corp. reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN.