Lucene search

AvayaCVELIST:CVE-2023-3527

HistoryJul 18, 2023 - 9:10 p.m.

CVE-2023-3527 Avaya Call Management System CSV injection vulnerability

2023-07-1821:10:36

CWE-1236

avaya

www.cve.org

avaya call management system

csv injection

vulnerability

administrative privileges

crafted data

arbitrary command execution

spreadsheet software

microsoft excel

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.0%

JSON

A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software

such as Microsoft Excel.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Avaya Call Management System",
    "vendor": "Avaya",
    "versions": [
      {
        "status": "affected",
        "version": "19.x.x.x"
      }
    ]
  }
]

References

download.avaya.com/css/public/documents/101086364

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.0%

JSON

Related for CVELIST:CVE-2023-3527