CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12756 – Avaya Spaces HTML injection (HTMLi) Vulnerability
https://notcve.org/view.php?id=CVE-2024-12756
11 Feb 2025 — An HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user. • https://support.avaya.com/css/public/documents/101091836 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12755 – Avaya Spaces XSS Vulnerability
https://notcve.org/view.php?id=CVE-2024-12755
11 Feb 2025 — A Cross-Site Scripting (XSS) vulnerability in Avaya Spaces may have allowed unauthorized code execution and potential disclose of sensitive information. • https://support.avaya.com/css/public/documents/101091836 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7480 – Improper access control in Avaya Aura System Manager
https://notcve.org/view.php?id=CVE-2024-7480
08 Aug 2024 — An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support. An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system.... • https://download.avaya.com/css/public/documents/101091159 • CWE-269: Improper Privilege Management •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7477 – Avaya Aura System Manager SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2024-7477
08 Aug 2024 — A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support. A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database. Aff... • https://download.avaya.com/css/public/documents/101091159 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4197 – Avaya IP Office One-X Portal File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2024-4197
25 Jun 2024 — An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1. An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1. • https://download.avaya.com/css/public/documents/101090768 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4196 – Avaya IP Office Web Control RCE Vulnerability
https://notcve.org/view.php?id=CVE-2024-4196
25 Jun 2024 — An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1. • https://download.avaya.com/css/public/documents/101090768 • CWE-20: Improper Input Validation •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-7031 – Avaya Experience Portal Manager Insecure Direct Object Reference Vulnerabilities
https://notcve.org/view.php?id=CVE-2023-7031
17 Jan 2024 — Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support. Se descubrieron vulnerabilidades de referencia directa de objetos inseguros en Avaya Aura Experience Portal Manager que pueden permitir la divulgación parcial de información a un usuario aut... • https://support.avaya.com/css/public/documents/101088063 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 1CVE-2023-3722 – Avaya Aura Device Services Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-3722
19 Jul 2023 — An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier. • https://github.com/pizza-power/CVE-2023-3722 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3527 – Avaya Call Management System CSV injection vulnerability
https://notcve.org/view.php?id=CVE-2023-3527
18 Jul 2023 — A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel. A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to inpu... • https://download.avaya.com/css/public/documents/101086364 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32218 – Avaya IX Workforce Engagement - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
https://notcve.org/view.php?id=CVE-2023-32218
30 May 2023 — Avaya IX Workforce Engagement v15.2.7.1195 - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •