An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1.
An attacker sends a specially crafted HTTP request to the Web Control component of the Avaya IP Office system. Lack of proper input data validation allows malicious data to be smuggled in, which is then interpreted and executed by the system as commands or code. The attack does not require authentication or user interaction, and its effects extend beyond the boundaries of the attacked component (scope changed).
Attackers can gain full control over the system, including reading and modifying sensitive data and disrupting service availability — which corresponds to the maximum level of impact on confidentiality, integrity, and availability.
Avaya IP Office should be updated to version 11.1.3.1 or newer as soon as possible. Detailed information about the patch is available in the official Avaya security bulletin at: https://download.avaya.com/css/public/documents/101090768
All versions of Avaya IP Office prior to 11.1.3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAvaya Ip Office
APPAvaya< 11.1.3.1
Related vulnerabilities
Unrestricted file upload umożliwiający RCE w Avaya IP Office (One-X)
Buffer overflow in the SoftConsole client in Avaya IP Office before 10.1.1 allows remote servers to execute ar...
A privilege escalation vulnerability was discovered in Avaya IP Office Admin Lite and USB Creator that may pot...
A vulnerability was discovered in the web interface component of IP Office that may potentially allow a remote...
A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL che...