CVE-2024-55925
Published: 23 January 2025
Description
In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gain unauthorized access. This exploit targets improper host validation, potentially exposing sensitive API endpoints.
Security Summary
CVE-2024-55925 is a vulnerability in Xerox Workplace Suite that allows bypass of an API restricted to specific hosts through manipulation of the Host header. The issue stems from improper validation of the Host header, where the server trusts the forged value without verifying the actual destination IP or hostname. This improper host validation (CWE-290) can expose sensitive API endpoints to unauthorized access.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network with low complexity, no privileges or user interaction required. An unauthenticated attacker can craft HTTP requests with a spoofed Host header to trick the server into granting access to restricted APIs, potentially leading to high confidentiality impacts such as disclosure of sensitive data hosted by the endpoints.
Xerox has published Security Bulletin XRX25-002 addressing this issue in Workplace Suite, available at https://securitydocs.business.xerox.com/wp-content/uploads/2025/01/Xerox-Security-Bulletin-XRX25-002-for-Xerox%C2%AE-WorkplaceSuite%C2%AE.pdf. Security practitioners should consult the bulletin for details on affected versions, patch availability, and recommended mitigations.
Details
- CWE(s)