CVE-2019-7004 – Avaya IP Office XSS Vulnerability
https://notcve.org/view.php?id=CVE-2019-7004
A Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server could allow unauthorized code execution and potentially disclose sensitive information. All product versions 11.x are affected. Product versions prior to 11.0, including unsupported versions, were not evaluated. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el componente WebUI de IP Office Application Server, podría permitir una ejecución no autorizada de código y revelar potencialmente información confidencial. Todas las versiones del producto 11.x están afectadas. • https://www.exploit-db.com/exploits/48105 http://packetstormsecurity.com/files/156476/Avaya-IP-Office-Application-Server-11.0.0.0-Cross-Site-Scripting.html https://support.avaya.com/css/P8/documents/101062833 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-7001 – Avaya IPOCC WebUI SQL Injection
https://notcve.org/view.php?id=CVE-2019-7001
A SQL injection vulnerability in the WebUI component of IP Office Contact Center could allow an authenticated attacker to retrieve or alter sensitive data related to other users on the system. Affected versions of IP Office Contact Center include all 9.x and 10.x versions prior to 10.1.2.2.2-11201.1908. Unsupported versions not listed here were not evaluated. Una vulnerabilidad de inyección SQL, en el componente WebUI de IP Office Contact Center, podría permitir que un atacante autenticado recupere o modifique datos sensibles relacionados con otros usuarios en el sistema. Las versiones afectadas de IP Office Contact Center incluyen las versiones 9.x y 10.x anteriores a la 10.1.2.2.2-11201.1908. • https://downloads.avaya.com/css/P8/documents/101056762 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-15614 – IP Office one-X Portal XSS
https://notcve.org/view.php?id=CVE-2018-15614
A vulnerability in the one-x Portal component of IP Office could allow an authenticated user to perform stored cross site scripting attacks via fields in the Conference Scheduler Service that could affect other application users. Affected versions of IP Office include 10.0 through 10.1 SP3 and 11.0 versions prior to 11.0 SP1. Una vulnerabilidad en el componente one-x Portal de IP Office podría permitir que un usuario autenticado realice ataques de Cross-Site Scripting (XSS) persistente mediante cambios en el servicio "Conference Scheduler" que podrían afectar a otros usuarios de la aplicación. Las versiones afectadas de IP Office incluyen desde la 10.0 hasta la 10.1 SP3 y las versiones 11.0 anteriores a la 11.0 SP1. • https://downloads.avaya.com/css/P8/documents/101054317 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-15610 – Improper access controls in IP Office one-X Portal
https://notcve.org/view.php?id=CVE-2018-15610
A vulnerability in the one-X Portal component of Avaya IP Office allows an authenticated attacker to read and delete arbitrary files on the system. Affected versions of Avaya IP Office include 9.1 through 9.1 SP12, 10.0 through 10.0 SP7, and 10.1 through 10.1 SP2. Una vulnerabilidad en el componente one-X Portal de Avaya IP Office permite que un atacante autenticado lea y elimine archivos arbitrarios en el sistema. Las versiones afectadas de Avaya IP Office incluyen desde la 9.1 hasta la 9.1 SP12, desde la 10.0 hasta la 10.0 SP7 y desde la 10.1 hasta la 10.1 SP2. Avaya one-X versions 9.x, 10.0.x, and 10.1.x suffer from arbitrary file disclosure and deletion vulnerabilities. • https://downloads.avaya.com/css/P8/documents/101051984 https://packetstormsecurity.com/files/149284/Avaya-one-X-9.x-10.0.x-10.1.x-Arbitrary-File-Disclosure-Deletion.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-284: Improper Access Control •
CVE-2017-11309 – Avaya IP Office (IPO) < 10.1 - 'SoftConsole' Remote Buffer Overflow (SEH)
https://notcve.org/view.php?id=CVE-2017-11309
Buffer overflow in the SoftConsole client in Avaya IP Office before 10.1.1 allows remote servers to execute arbitrary code via a long response. Desbordamiento de búfer en el cliente de SoftConsole en Avaya IP Office en versiones anteriores a la 10.1.1 permite que servidores remotos ejecuten código arbitrario mediante una respuesta larga. Avaya IP Office (IPO) versions 9.1.0 through 10.1 suffer from a soft console remote buffer overflow vulnerability. • https://www.exploit-db.com/exploits/43121 http://downloads.avaya.com/css/P8/documents/101044086 http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-%28IPO%29-v9.1.0-10.1-SOFT-CONSOLE-REMOTE-BUFFER-OVERFLOW-0DAY.txt http://packetstormsecurity.com/files/144883/Avaya-IP-Office-IPO-10.1-Soft-Console-Remote-Buffer-Overflow.html http://www.securityfocus.com/bid/101674 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •