CVE-2024-4197 – Avaya IP Office One-X Portal File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2024-4197
An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1. • https://download.avaya.com/css/public/documents/101090768 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-4196 – Avaya IP Office Web Control RCE Vulnerability
https://notcve.org/view.php?id=CVE-2024-4196
An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1. • https://download.avaya.com/css/public/documents/101090768 • CWE-20: Improper Input Validation •
CVE-2023-7031 – Avaya Experience Portal Manager Insecure Direct Object Reference Vulnerabilities
https://notcve.org/view.php?id=CVE-2023-7031
Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support. Se descubrieron vulnerabilidades de referencia directa de objetos inseguros en Avaya Aura Experience Portal Manager que pueden permitir la divulgación parcial de información a un usuario autenticado sin privilegios. Las versiones afectadas incluyen 8.0.x y 8.1.x, anteriores al parche 0402 8.1.2. • https://support.avaya.com/css/public/documents/101088063 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2023-3722 – Avaya Aura Device Services Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-3722
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier. • https://download.avaya.com/css/public/documents/101076366 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-3527 – Avaya Call Management System CSV injection vulnerability
https://notcve.org/view.php?id=CVE-2023-3527
A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel. • https://download.avaya.com/css/public/documents/101086364 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •