CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2018-15615 – CMS Supervisor Information Disclosure
https://notcve.org/view.php?id=CVE-2018-15615
A vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x. Una vulnerabilidad en el componente Supervisor de Avaya Call Management System permite que un usuario local administrador extraiga información sensible de usuarios que se conectan a un host CMS remoto. Las versiones afectadas de CMS Supervisor incluyen la R17.0.x y la R18.0.x. • http://www.securityfocus.com/bid/105392 https://downloads.avaya.com/css/P8/documents/101052300 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15613 – Orchestration Designer Runtime Config XSS
https://notcve.org/view.php?id=CVE-2018-15613
A cross-site scripting (XSS) vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could result in malicious content being returned to the user. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1. Una vulnerabilidad Cross-Site Scripting (XSS) en el componente Runtime Config de Avaya Aura Orchestration Designer podría resultar en la devolución de contenido malicioso al usuario. Las versiones afectadas de Avaya Aura Orchestration Designer son todas las versiones hasta la 7.2.1. • https://downloads.avaya.com/css/P8/documents/101052293 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15612 – Orchestration Designer Runtime Config CSRF
https://notcve.org/view.php?id=CVE-2018-15612
A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1. Una vulnerabilidad Cross-Site Request Forgery (CSRF) en el componente Runtime Config de Avaya Aura Orchestration Designer podría permitir que un atacante añada, cambie o elimine configuración de administrador. Las versiones afectadas de Avaya Aura Orchestration Designer son todas las versiones hasta la 7.2.1. • https://downloads.avaya.com/css/P8/documents/101052293 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 24EXPL: 0CVE-2018-15610 – Improper access controls in IP Office one-X Portal
https://notcve.org/view.php?id=CVE-2018-15610
A vulnerability in the one-X Portal component of Avaya IP Office allows an authenticated attacker to read and delete arbitrary files on the system. Affected versions of Avaya IP Office include 9.1 through 9.1 SP12, 10.0 through 10.0 SP7, and 10.1 through 10.1 SP2. Una vulnerabilidad en el componente one-X Portal de Avaya IP Office permite que un atacante autenticado lea y elimine archivos arbitrarios en el sistema. Las versiones afectadas de Avaya IP Office incluyen desde la 9.1 hasta la 9.1 SP12, desde la 10.0 hasta la 10.0 SP7 y desde la 10.1 hasta la 10.1 SP2. Avaya one-X versions 9.x, 10.0.x, and 10.1.x suffer from arbitrary file disclosure and deletion vulnerabilities. • https://downloads.avaya.com/css/P8/documents/101051984 https://packetstormsecurity.com/files/149284/Avaya-one-X-9.x-10.0.x-10.1.x-Arbitrary-File-Disclosure-Deletion.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6635
https://notcve.org/view.php?id=CVE-2018-6635
System Manager in Avaya Aura before 7.1.2 does not properly use SSL in conjunction with authentication, which allows remote attackers to bypass intended Remote Method Invocation (RMI) restrictions, aka SMGR-26896. System Manager en Avaya Aura en versiones anteriores a la 7.1.2 no utiliza SSL correctamente junto con la autenticación, lo que permite que los atacantes remotos omitan las restricciones RMI (Remote Method Invocation). Esto también se conoce como SMGR-26896. • http://www.securityfocus.com/bid/102940 http://www.securitytracker.com/id/1040329 https://downloads.avaya.com/css/P8/documents/101038598 • CWE-326: Inadequate Encryption Strength •