Expert Comments

Experts On Xerox DocuShare Bugs Allow Data Leaks

Expert(s): ISBuzz Staff
Expert(s): ISBuzz Staff

CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes. Xerox issued a fix for two vulnerabilities impacting its market-leading DocuShare enterprise document management platform. The bugs, if exploited, could expose DocuShare users to an attack resulting in the loss of sensitive data. On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security bulletin urging users and administrators to apply a patch that plugged two security holes in recently released versions (6.6.1, 7.0, and 7.5) of Xerox’s DocuShare. The vulnerability is rated important. Tracked as CVE-2020-27177, Xerox said the vulnerabilities open Solaris, Linux, and Windows DucuShare users up to both a server-side request forgery (SSRF) attack and an unauthenticated external XML entity injection attack (XXE). Xerox issued its security advisory (XRX20W) on November 30. 

More information: https://threatpost.com/xerox-docushare-bugs/161791/

Experts Comments

December 04, 2020
Jamie Akhtar
CEO and Co-founder
CyberSmart
Organisations can often protect themselves from the vast majority of cyber-attacks simply by adhering to a basic set of cyber hygiene standards. Chief among these is staying aware of the vulnerabilities that exist, then swiftly updating and patching devices. Xerox has already made available patches to the security flaws in their exposed systems. It is now down to organisations to implement these. Those who delay this will no doubt attract the attention of cybercriminals, who see these.....Read More
Organisations can often protect themselves from the vast majority of cyber-attacks simply by adhering to a basic set of cyber hygiene standards. Chief among these is staying aware of the vulnerabilities that exist, then swiftly updating and patching devices. Xerox has already made available patches to the security flaws in their exposed systems. It is now down to organisations to implement these. Those who delay this will no doubt attract the attention of cybercriminals, who see these businesses as an easy target. Unfortunately, software providers may not always have a ‘hot fix’ available for all software. In this case, the Solaris version of DocuShare 7.5 is not yet available. In these situations, organisations should implement temporary mitigation procedures until a permanent solution is offered.  Read Less
December 04, 2020
Niamh Muldoon
Senior Director of Trust and Security EMEA
OneLogin
Bugs such as this are very concerning, particularly as document signing happens online more and more. This is an example of the importance of an Enterprise Security Programme, where organisations understand their Information Assets and have an up-to-date Asset Management Inventory. By having these, organisations can prioritise applying patches when vulnerabilities and/or bugs like this are announced. The prioritisation of applying patches varies from organisation to organisation, but should.....Read More
Bugs such as this are very concerning, particularly as document signing happens online more and more. This is an example of the importance of an Enterprise Security Programme, where organisations understand their Information Assets and have an up-to-date Asset Management Inventory. By having these, organisations can prioritise applying patches when vulnerabilities and/or bugs like this are announced. The prioritisation of applying patches varies from organisation to organisation, but should fundamentally be based on risk assessment criteria of the services offered by the exposed website, i.e. payments, authentication credentials, and PII data. Security Automation is hugely beneficial to delivering quick responses to reduce risk exposure. Multi-Factor Authentication (MFA) plays a role in reducing the risk of this vulnerability being exploited, exposing critical data. However, that is dependent on the second and third-factor types, i.e. token type and how they have been implemented/configured with the WordPress Site.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.
SUBMIT

You may also like

Cybersecurity Expert Reaction On UK’s Financial Regulator Scraps 90-day Authentication...

DNA Testing Firm Discloses Data Breach Affecting 2.1 Million People

Panasonic Becomes Latest Victim Of Data Breach – Security Expert...

Clearview’s £17 Million Fine For Processing 10+ Billion Images Is...

Booz Allen Report On CISOs And China Quantum Computing Risks,...

Experts Reactions On Sky Broadband Hack Warning

Ransomware Set To Break Records This Black Friday 2021

Security Expert On Apple Suing NSO Group

Meta Delays Plans To Rollout End-to-end Encryption

NCSC Issues Black Friday Warning To Tetailers

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts