CVE-2020-7032 – Avaya WebLM Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2020-7032
An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2. Una vulnerabilidad de tipo XML external entity (XXE) en la interfaz de administración de Avaya WebLM, permite a usuarios autenticados leer archivos arbitrarios o realizar ataques de tipo server-side request forgery (SSRF) por medio de un DTD diseñado en una petición XML. Las versiones afectadas de Avaya WebLM incluyen: versiones 7.0 hasta 7.1.3.6 y versiones 8.0 hasta 8.1.2 Avaya Web License Manager versions 6.x, 7.0 through 7.1.3.6, and 8.0 through 8.1.2.0.0 suffer from a blind out-of-band XML external entity injection vulnerability. • http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html http://seclists.org/fulldisclosure/2020/Nov/31 https://downloads.avaya.com/css/P8/documents/101072249 https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2020-7033 – Avaya Equinox Conferencing XSS
https://notcve.org/view.php?id=CVE-2020-7033
A Cross Site Scripting (XSS) Vulnerability on the Unified Portal Client (web client) used in Avaya Equinox Conferencing can allow an authenticated user to perform XSS attacks. The affected versions of Equinox Conferencing includes all 9.x versions before 9.1.10. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Unified Portal Client (cliente web), que se utiliza en Avaya Equinox Conferencing puede permitir a un usuario autenticado realizar ataques de tipo XSS. Las versiones afectadas de Equinox Conferencing incluyen todas las versiones 9.x anteriores a 9.1.10 • https://downloads.avaya.com/css/P8/documents/101072147 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-7029 – Avaya Product System Management Interface Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2020-7029
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1. Se descubrió una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el componente System Management Interface Web de Avaya Aura Communication Manager y Avaya Aura Messaging. • https://support.avaya.com/css/P8/documents/101070201 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-7005 – Unauthenticated Information Disclosure Vulnerability in IP Office
https://notcve.org/view.php?id=CVE-2019-7005
A vulnerability was discovered in the web interface component of IP Office that may potentially allow a remote, unauthenticated user with network access to gain sensitive information. Affected versions of IP Office include: 9.x, 10.0 through 10.1.0.7 and 11.0 through 11.0.4.2. Se detectó una vulnerabilidad en el componente de la interfaz web de IP Office que puede permitir potencialmente a un usuario remoto no autenticado con acceso a la red conseguir información confidencial. Las versiones afectadas de IP Office incluyen: versiones 9.x, versiones 10.0 hasta 10.1.0.7 y versiones 11.0 hasta 11.0.4.2 • https://downloads.avaya.com/css/P8/documents/101070158 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-7030 – IPO Information Disclosure
https://notcve.org/view.php?id=CVE-2020-7030
A sensitive information disclosure vulnerability was discovered in the web interface component of IP Office that may potentially allow a local user to gain unauthorized access to the component. Affected versions of IP Office include: 9.x, 10.0 through 10.1.0.7 and 11.0 though 11.0.4.3. Se detectó una vulnerabilidad de divulgación de información confidencial en el componente web interface de IP Office, que puede permitir potencialmente a un usuario local conseguir acceso no autorizado al componente. Las versiones afectadas de IP Office incluyen: 9.x, 10.0 hasta 10.1.0.7 y 11.0 hasta 11.0.4.3 Avaya IP Office versions 9.1.8.0 through 11 suffer from an insecure transit vulnerability that allows for password disclosure. • https://www.exploit-db.com/exploits/48581 http://packetstormsecurity.com/files/157957/Avaya-IP-Office-11-Insecure-Transit-Password-Disclosure.html http://seclists.org/fulldisclosure/2020/Jun/12 https://downloads.avaya.com/css/P8/documents/101067493 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •