CVE-2020-7032

Опубликовано: 13 нояб. 2020

Источник: nvd

CVSS3: 6.5

CVSS2: 5.5

EPSS Низкий

Описание

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.

Ссылки

http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Nov/31
Exploit
Mailing List
Third Party Advisory
https://downloads.avaya.com/css/P8/documents/101072249
Vendor Advisory
https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Nov/31
Exploit
Mailing List
Third Party Advisory
https://downloads.avaya.com/css/P8/documents/101072249
Vendor Advisory
https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:*

Версия от 7.0 (включая) до 7.1.3.6 (включая)

cpe:2.3:a:avaya:aura_system_manager:*:*:*:*:*:*:*:*

Версия от 8.0 (включая) до 8.1.2 (включая)

cpe:2.3:a:avaya:weblm:*:*:*:*:*:*:*:*

Версия от 7.0 (включая) до 7.1.3.6 (включая)

cpe:2.3:a:avaya:weblm:*:*:*:*:*:*:*:*

Версия от 8.0.0 (включая) до 8.1.3 (исключая)

EPSS

Процентиль: 71%

0.00659

Низкий

6.5 Medium

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-611

Связанные уязвимости

GHSA-q87h-3ppq-wwf5