cnvd - cnvd-2019-25761

CNVD-2019-25761

Vulnerability from cnvd - Published: 2019-08-02

Title

Avaya Aura Conferencing跨站脚本漏洞

Description

Avaya Aura Conferencing是美国Avaya公司的一套下一代内部部署协作解决方案。该产品能够提供音频、高清视频和Web协作等功能。Avaya Aura Conferencing 8.0 SP14 (8.0.14)之前的8.x版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

Severity

中

Patch Name

Avaya Aura Conferencing跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：https://downloads.avaya.com/css/P8/documents/101060208

Reference

https://downloads.avaya.com/css/P8/documents/101060208

Impacted products

Name
Avaya Avaya Aura Conferencing 8.*;<8.0 SP14 (8.0.14)

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-7000",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-7000"
    }
  },
  "description": "Avaya Aura Conferencing\u662f\u7f8e\u56fdAvaya\u516c\u53f8\u7684\u4e00\u5957\u4e0b\u4e00\u4ee3\u5185\u90e8\u90e8\u7f72\u534f\u4f5c\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u80fd\u591f\u63d0\u4f9b\u97f3\u9891\u3001\u9ad8\u6e05\u89c6\u9891\u548cWeb\u534f\u4f5c\u7b49\u529f\u80fd\u3002Avaya Aura Conferencing 8.0 SP14 (8.0.14)\u4e4b\u524d\u76848.x\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1ahttps://downloads.avaya.com/css/P8/documents/101060208",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-25761",
  "openTime": "2019-08-02",
  "patchDescription": "Avaya Aura Conferencing\u662f\u7f8e\u56fdAvaya\u516c\u53f8\u7684\u4e00\u5957\u4e0b\u4e00\u4ee3\u5185\u90e8\u90e8\u7f72\u534f\u4f5c\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u80fd\u591f\u63d0\u4f9b\u97f3\u9891\u3001\u9ad8\u6e05\u89c6\u9891\u548cWeb\u534f\u4f5c\u7b49\u529f\u80fd\u3002Avaya Aura Conferencing 8.0 SP14 (8.0.14)\u4e4b\u524d\u76848.x\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Avaya Aura Conferencing\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Avaya Avaya Aura Conferencing 8.*;\u003c8.0 SP14 (8.0.14)"
  },
  "referenceLink": "https://downloads.avaya.com/css/P8/documents/101060208",
  "serverity": "\u4e2d",
  "submitTime": "2019-08-02",
  "title": "Avaya Aura Conferencing\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2019-7000 (GCVE-0-2019-7000)

Vulnerability from cvelistv5 – Published: 2019-07-31 21:42 – Updated: 2024-09-16 22:51

Title

Avaya Aura Conferencing XSS

Summary

A Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura Conferencing may allow code execution and potentially disclose sensitive information. Affected versions of Avaya Aura Conferencing include all 8.x versions prior to 8.0 SP14 (8.0.14). Prior versions not listed were not evaluated.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

avaya

References

URL

Tags

https://downloads.avaya.com/css/P8/documents/101060208

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Avaya	Avaya Aura Conferencing	Affected: 8.x , < 8.0.14 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:38:32.607Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://downloads.avaya.com/css/P8/documents/101060208"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Avaya Aura Conferencing",
          "vendor": "Avaya",
          "versions": [
            {
              "lessThan": "8.0.14",
              "status": "affected",
              "version": "8.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-07-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura Conferencing may allow code execution and potentially disclose sensitive information. Affected versions of Avaya Aura Conferencing include all 8.x versions prior to 8.0 SP14 (8.0.14). Prior versions not listed were not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-31T21:42:45",
        "orgId": "9d670455-bdb5-4cca-a883-5914865f5d96",
        "shortName": "avaya"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://downloads.avaya.com/css/P8/documents/101060208"
        }
      ],
      "source": {
        "advisory": "ASA-2019-134"
      },
      "title": "Avaya Aura Conferencing XSS",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "securityalerts@avaya.com",
          "DATE_PUBLIC": "2019-07-31T20:55:00.000Z",
          "ID": "CVE-2019-7000",
          "STATE": "PUBLIC",
          "TITLE": "Avaya Aura Conferencing XSS"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Avaya Aura Conferencing",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "8.x",
                            "version_value": "8.0.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Avaya"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura Conferencing may allow code execution and potentially disclose sensitive information. Affected versions of Avaya Aura Conferencing include all 8.x versions prior to 8.0 SP14 (8.0.14). Prior versions not listed were not evaluated."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://downloads.avaya.com/css/P8/documents/101060208",
              "refsource": "CONFIRM",
              "url": "https://downloads.avaya.com/css/P8/documents/101060208"
            }
          ]
        },
        "source": {
          "advisory": "ASA-2019-134"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96",
    "assignerShortName": "avaya",
    "cveId": "CVE-2019-7000",
    "datePublished": "2019-07-31T21:42:45.850387Z",
    "dateReserved": "2019-01-28T00:00:00",
    "dateUpdated": "2024-09-16T22:51:22.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-25761

CVE-2019-7000 (GCVE-0-2019-7000)

Tags

Sightings

Nomenclature