Notification about the vulnerability in Xerox FreeFlow Core

January 7, 2025

Dear Customers,

We would like to thank you for your continued support towards FUJIFILM Business Innovation products.

A vulnerability (CVE-2024-47555~47559)*1 has been found in Xerox FreeFlow Core, which is included in the Xerox FreeFlow Digital Workflow Collection.

  • *1Vulnerability information published by the National Institute of Standards and Technology (NIST)

We apologize for any inconvenience this may cause, but please check if your Xerox FreeFlow Core is compatible with the target version, and if so, take the following actions.

At the time of posting this notice, we have not confirmed any attacks that exploit this vulnerability.

Vulnerability Details

We have found the following vulnerabilities in our product Xerox FreeFlow Core that lead to multiple remote code execution.

  • CVE-2024-47555 (High): Lack of authentication for critical functions (CWE-306)
  • CVE-2024-47556 (High), CVE-2024-47557 (High):
    Pre-Authentication Remote Code Execution via Path Traversal (CWE-22)
  • CVE-2024-47558 (High), CVE-2024-47559 (High):
    Remote Code Execution Authenticated via Path Traversal (CWE-22)

Eligible products and versions

Xerox FreeFlow Core 7.0.0~7.0.10

  • How to check the version
    1. After logging in, click the “?” mark in the upper right corner of the screen and select the “FreeFlow Core Information” menu.

    2. Check the version on the screen that appears.

Correspondence

Xerox FreeFlow Core 7.0.11
We have prepared a Xerox FreeFlow Core 7.0.11 patch module that addresses this vulnerability.
Please introduce this.

Workaround

If you are using the site in a network environment protected by your firewall, etc., you are not affected by this vulnerability.
Therefore, until the Xerox FreeFlow Core 7.0.11 patch module is introduced, it is recommended to use it in a protected network environment.

Related Information

Contact information

  • Customers who have a software support contract
    Please contact the Fujifilm Business Innovation subsidiary/distributor where you purchased your software.
  • Customers who do not have a software support contract
    Please contact the distributor where you purchased your software.