// For flags

CVE-2020-7032

Avaya WebLM Improper Restriction of XML External Entity Reference

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.

Una vulnerabilidad de tipo XML external entity (XXE) en la interfaz de administración de Avaya WebLM, permite a usuarios autenticados leer archivos arbitrarios o realizar ataques de tipo server-side request forgery (SSRF) por medio de un DTD diseñado en una petición XML. Las versiones afectadas de Avaya WebLM incluyen: versiones 7.0 hasta 7.1.3.6 y versiones 8.0 hasta 8.1.2

Avaya Web License Manager versions 6.x, 7.0 through 7.1.3.6, and 8.0 through 8.1.2.0.0 suffer from a blind out-of-band XML external entity injection vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-14 CVE Reserved
  • 2020-11-13 CVE Published
  • 2024-07-30 EPSS Updated
  • 2024-09-17 CVE Updated
  • 2024-09-17 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Avaya
Search vendor "Avaya"
 Aura System Manager
Search vendor "Avaya" for product "Aura System Manager"
 >= 7.0 <= 7.1.3.6
Search vendor "Avaya" for product "Aura System Manager" and version " >= 7.0 <= 7.1.3.6"
-
Affected
Avaya
Search vendor "Avaya"
 Aura System Manager
Search vendor "Avaya" for product "Aura System Manager"
 >= 8.0 <= 8.1.2
Search vendor "Avaya" for product "Aura System Manager" and version " >= 8.0 <= 8.1.2"
-
Affected
Avaya
Search vendor "Avaya"
 Weblm
Search vendor "Avaya" for product "Weblm"
 >= 7.0 <= 7.1.3.6
Search vendor "Avaya" for product "Weblm" and version " >= 7.0 <= 7.1.3.6"
-
Affected
Avaya
Search vendor "Avaya"
 Weblm
Search vendor "Avaya" for product "Weblm"
 >= 8.0.0 < 8.1.3
Search vendor "Avaya" for product "Weblm" and version " >= 8.0.0 < 8.1.3"
-
Affected