CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25650 – Avaya Aura Utility Services Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-25650
A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to execute specially crafted scripts as a privileged user. Affects all 7.x versions of Avaya Aura Utility Services Se ha detectado una vulnerabilidad de escalada de privilegios en Avaya Aura Utility Services que podría permitir potencialmente a un usuario local ejecutar scripts especialmente diseñados como usuario privilegiado. Afecta a todas las versiones 7.x de Avaya Aura Utility Services • https://support.avaya.com/css/P8/documents/101072728 • CWE-250: Execution with Unnecessary Privileges CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25649 – Avaya Utility Services Sensitive Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-25649
An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Utility Services. This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be available to a privileged user. Affects all 7.x versions of Avaya Aura Utility Services Se ha detectado una vulnerabilidad de divulgación de información en la administración de directorios y archivos de Avaya Aura Utility Services. Esta vulnerabilidad podría permitir potencialmente a cualquier usuario local acceder a la funcionalidad del sistema y a la información de configuración que sólo debería estar disponible para un usuario con privilegios. Afecta a todas las versiones 7.x de Avaya Aura Utility Services • https://support.avaya.com/css/P8/documents/101072728 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7035 – XXE in Avaya Aura Orchestration Designer
https://notcve.org/view.php?id=CVE-2020-7035
An XML External Entities (XXE)vulnerability in the web-based user interface of Avaya Aura Orchestration Designer could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Orchestration Designer includes all 7.x versions before 7.2.3. Una vulnerabilidad de XML External Entities (XXE) en la interfaz de usuario basada en web de Avaya Aura Orchestration Designer, podría permitir a un atacante remoto autenticado conseguir acceso de lectura a información almacenada en un sistema afectado. Las versiones afectadas de Orchestration Designer incluyen todas las versiones 7.x anteriores a 7.2.3 • https://downloads.avaya.com/css/P8/documents/101075450 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 2%CPEs: 4EXPL: 3CVE-2020-7032 – Avaya WebLM Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2020-7032
An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2. Una vulnerabilidad de tipo XML external entity (XXE) en la interfaz de administración de Avaya WebLM, permite a usuarios autenticados leer archivos arbitrarios o realizar ataques de tipo server-side request forgery (SSRF) por medio de un DTD diseñado en una petición XML. Las versiones afectadas de Avaya WebLM incluyen: versiones 7.0 hasta 7.1.3.6 y versiones 8.0 hasta 8.1.2 Avaya Web License Manager versions 6.x, 7.0 through 7.1.3.6, and 8.0 through 8.1.2.0.0 suffer from a blind out-of-band XML external entity injection vulnerability. • http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html http://seclists.org/fulldisclosure/2020/Nov/31 https://downloads.avaya.com/css/P8/documents/101072249 https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-7029 – Avaya Product System Management Interface Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2020-7029
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1. Se descubrió una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el componente System Management Interface Web de Avaya Aura Communication Manager y Avaya Aura Messaging. • https://support.avaya.com/css/P8/documents/101070201 • CWE-352: Cross-Site Request Forgery (CSRF) •