Avaya Communications Manager Javascript Remote Code Execution Vulnerability

Bugtraq ID:	22866
Class:	Input Validation Error
CVE:	CVE-2007-1367
Remote:	Yes
Local:	No
Published:	Mar 07 2007 12:00AM
Updated:	May 12 2015 07:33PM
Credit:	This vulnerability was disclosed by the vendor.
Vulnerable:	Avaya S8710 R2.0.1 Avaya S8710 R2.0.0 Avaya S8710 CM 3.1 Avaya S8710 CM 2.0 Avaya S8700 R2.0.1 Avaya S8700 R2.0.0 Avaya S8700 CM 3.1 Avaya S8700 CM 2.0 Avaya S8500 R2.0.1 Avaya S8500 R2.0.0 Avaya S8500 CM 3.1 Avaya S8500 CM 2.0 Avaya S8500 0 Avaya S8300 R2.0.1 Avaya S8300 R2.0.0 Avaya S8300 CM 3.1 Avaya S8300 CM 2.0 Avaya S8300 0
Not Vulnerable:	Avaya S8700 CM 3.1.3 Avaya S8500 CM 3.1.3 Avaya S8300 CM 3.1.3

Avaya Communications Manager Javascript Remote Code Execution Vulnerability

Avaya Communications Manager is prone to a remote JavaScript code-execution vulnerability due to a design error.

Successful exploits may allow an attacker to execute arbitrary JavaScript code in the context of the affected application.

All versions of Avaya S8700, S8500, S8300 products prior to CM 3.1.3 are confirmed vulnerable to this issue.

Avaya Communications Manager Javascript Remote Code Execution Vulnerability

An attacker may exploit this issue by enticing victims into submitting a malicious request.

Avaya Communications Manager Javascript Remote Code Execution Vulnerability

Solution:
The vendor released fixes to address this issue. Please see the references for more information.

Avaya Communications Manager Javascript Remote Code Execution Vulnerability

References:

• Avaya Homepage (Avaya Inc.)
  
• Javascript Input Validation Issues In Avaya Communications Manager (Avaya)