Avaya: Security Vulnerabilities
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
CVSS Score
5.3
EPSS Score
0.003
Published
2025-06-12
An improper input validation discovered in
Avaya Call Management System
could allow an unauthorized
remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0.
CVSS Score
9.9
EPSS Score
0.005
Published
2025-06-10
A Cross-Site Scripting (XSS) vulnerability in Avaya Spaces may have allowed unauthorized code execution and potential disclose of sensitive information.
CVSS Score
7.9
EPSS Score
0.001
Published
2025-02-11
An HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user.
CVSS Score
7.3
EPSS Score
0.001
Published
2025-02-11
A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database.
Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-08-08
An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.
CVSS Score
4.2
EPSS Score
0.001
Published
2024-08-08
An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1.
CVSS Score
9.9
EPSS Score
0.006
Published
2024-06-25
An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1.
CVSS Score
10.0
EPSS Score
0.008
Published
2024-06-25
Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support.
CVSS Score
5.7
EPSS Score
0.001
Published
2024-01-17
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.
CVSS Score
8.6
EPSS Score
0.546
Published
2023-07-19
Page 1