Search
Find a vulnerability
Search criteria
2 vulnerabilities found for System Manager by Avaya
CVE-2020-7032 (GCVE-0-2020-7032)
Vulnerability from nvd – Published: 2020-11-13 00:20 – Updated: 2024-09-17 01:45
VLAI
Title
Avaya WebLM Improper Restriction of XML External Entity Reference
Summary
An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.
Severity
6.5 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://downloads.avaya.com/css/P8/documents/101072249 | x_refsource_CONFIRM |
| http://seclists.org/fulldisclosure/2020/Nov/31 | mailing-listx_refsource_FULLDISC |
| http://packetstormsecurity.com/files/160123/Avaya… | x_refsource_MISC |
| https://sec-consult.com/vulnerability-lab/advisor… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Avaya | WebLM |
Affected:
8.0.x
Affected: 7.0 , < 7.1.3.6 (custom) Affected: 8.1 , < 8.1.2 (custom) |
|
| Avaya | System Manager |
Affected:
8.0.x
Affected: 7.0 , < 7.1.3.6 (custom) Affected: 8.1 , < 8.1.2 (custom) |
Date Public
2020-11-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:18:02.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://downloads.avaya.com/css/P8/documents/101072249"
},
{
"name": "20201117 SEC Consult SA-20201117-0 :: Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Nov/31"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WebLM",
"vendor": "Avaya",
"versions": [
{
"status": "affected",
"version": "8.0.x"
},
{
"lessThan": "7.1.3.6",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.1.2",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
},
{
"product": "System Manager",
"vendor": "Avaya",
"versions": [
{
"status": "affected",
"version": "8.0.x"
},
{
"lessThan": "7.1.3.6",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.1.2",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T20:54:07.000Z",
"orgId": "9d670455-bdb5-4cca-a883-5914865f5d96",
"shortName": "avaya"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://downloads.avaya.com/css/P8/documents/101072249"
},
{
"name": "20201117 SEC Consult SA-20201117-0 :: Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Nov/31"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/"
}
],
"source": {
"advisory": "ASA-2020-153"
},
"title": "Avaya WebLM Improper Restriction of XML External Entity Reference",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "securityalerts@avaya.com",
"DATE_PUBLIC": "2020-11-12T07:00:00.000Z",
"ID": "CVE-2020-7032",
"STATE": "PUBLIC",
"TITLE": "Avaya WebLM Improper Restriction of XML External Entity Reference"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WebLM",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "7.0",
"version_value": "7.1.3.6"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "8.0.x",
"version_value": "8.0.x"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.2"
}
]
}
},
{
"product_name": "System Manager",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "7.0",
"version_value": "7.1.3.6"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "8.0.x",
"version_value": "8.0.x"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.2"
}
]
}
}
]
},
"vendor_name": "Avaya"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://downloads.avaya.com/css/P8/documents/101072249",
"refsource": "CONFIRM",
"url": "https://downloads.avaya.com/css/P8/documents/101072249"
},
{
"name": "20201117 SEC Consult SA-20201117-0 :: Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/Nov/31"
},
{
"name": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
},
{
"name": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/",
"refsource": "MISC",
"url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/"
}
]
},
"source": {
"advisory": "ASA-2020-153"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96",
"assignerShortName": "avaya",
"cveId": "CVE-2020-7032",
"datePublished": "2020-11-13T00:20:14.764Z",
"dateReserved": "2020-01-14T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:45:48.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7032 (GCVE-0-2020-7032)
Vulnerability from cvelistv5 – Published: 2020-11-13 00:20 – Updated: 2024-09-17 01:45
VLAI
Title
Avaya WebLM Improper Restriction of XML External Entity Reference
Summary
An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.
Severity
6.5 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://downloads.avaya.com/css/P8/documents/101072249 | x_refsource_CONFIRM |
| http://seclists.org/fulldisclosure/2020/Nov/31 | mailing-listx_refsource_FULLDISC |
| http://packetstormsecurity.com/files/160123/Avaya… | x_refsource_MISC |
| https://sec-consult.com/vulnerability-lab/advisor… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Avaya | WebLM |
Affected:
8.0.x
Affected: 7.0 , < 7.1.3.6 (custom) Affected: 8.1 , < 8.1.2 (custom) |
|
| Avaya | System Manager |
Affected:
8.0.x
Affected: 7.0 , < 7.1.3.6 (custom) Affected: 8.1 , < 8.1.2 (custom) |
Date Public
2020-11-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:18:02.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://downloads.avaya.com/css/P8/documents/101072249"
},
{
"name": "20201117 SEC Consult SA-20201117-0 :: Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Nov/31"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WebLM",
"vendor": "Avaya",
"versions": [
{
"status": "affected",
"version": "8.0.x"
},
{
"lessThan": "7.1.3.6",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.1.2",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
},
{
"product": "System Manager",
"vendor": "Avaya",
"versions": [
{
"status": "affected",
"version": "8.0.x"
},
{
"lessThan": "7.1.3.6",
"status": "affected",
"version": "7.0",
"versionType": "custom"
},
{
"lessThan": "8.1.2",
"status": "affected",
"version": "8.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-11-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T20:54:07.000Z",
"orgId": "9d670455-bdb5-4cca-a883-5914865f5d96",
"shortName": "avaya"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://downloads.avaya.com/css/P8/documents/101072249"
},
{
"name": "20201117 SEC Consult SA-20201117-0 :: Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Nov/31"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/"
}
],
"source": {
"advisory": "ASA-2020-153"
},
"title": "Avaya WebLM Improper Restriction of XML External Entity Reference",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "securityalerts@avaya.com",
"DATE_PUBLIC": "2020-11-12T07:00:00.000Z",
"ID": "CVE-2020-7032",
"STATE": "PUBLIC",
"TITLE": "Avaya WebLM Improper Restriction of XML External Entity Reference"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WebLM",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "7.0",
"version_value": "7.1.3.6"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "8.0.x",
"version_value": "8.0.x"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.2"
}
]
}
},
{
"product_name": "System Manager",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "7.0",
"version_value": "7.1.3.6"
},
{
"affected": "=",
"version_affected": "=",
"version_name": "8.0.x",
"version_value": "8.0.x"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.2"
}
]
}
}
]
},
"vendor_name": "Avaya"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://downloads.avaya.com/css/P8/documents/101072249",
"refsource": "CONFIRM",
"url": "https://downloads.avaya.com/css/P8/documents/101072249"
},
{
"name": "20201117 SEC Consult SA-20201117-0 :: Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/Nov/31"
},
{
"name": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
},
{
"name": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/",
"refsource": "MISC",
"url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/"
}
]
},
"source": {
"advisory": "ASA-2020-153"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96",
"assignerShortName": "avaya",
"cveId": "CVE-2020-7032",
"datePublished": "2020-11-13T00:20:14.764Z",
"dateReserved": "2020-01-14T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:45:48.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}