CVE-2007-1367

Cross-site scripting (XSS) vulnerability in the login page in Avaya Communications Manager (CM) S87XX, S8500, and S8300 products before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Login field.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/24397
http://support.avaya.com/elmodocs2/security/ASA-2007-064.htm	Patch Vendor Advisory
http://www.osvdb.org/33297
http://www.securityfocus.com/bid/22866

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:h:avaya:s8710:cm_2.0:::::::*
	cpe:2.3:h:avaya:s8710:cm_3.1:::::::*
	cpe:2.3:h:avaya:s8710:r2.0.0:::::::*
	cpe:2.3:h:avaya:s8710:r2.0.1:::::::*

OR	cpe:2.3:h:avaya:s8300:cm_2.0:::::::*
	cpe:2.3:h:avaya:s8300:cm_3.1:::::::*
	cpe:2.3:h:avaya:s8300:r2.0.0:::::::*
	cpe:2.3:h:avaya:s8300:r2.0.1:::::::*
	cpe:2.3:h:avaya:s8500:cm_2.0:::::::*
	cpe:2.3:h:avaya:s8500:cm_3.1:::::::*
	cpe:2.3:h:avaya:s8500:r2.0.0:::::::*
	cpe:2.3:h:avaya:s8500:r2.0.1:::::::*
	cpe:2.3:h:avaya:s8700:cm_2.0:::::::*
	cpe:2.3:h:avaya:s8700:cm_3.1:::::::*
	cpe:2.3:h:avaya:s8700:r2.0.0:::::::*
	cpe:2.3:h:avaya:s8700:r2.0.1:::::::*

History

No history.

Information

Published : 2007-03-09 22:19

Updated : 2024-02-28 11:01

NVD link : CVE-2007-1367

Mitre link : CVE-2007-1367

CVE.ORG link : CVE-2007-1367

JSON object : View

Products Affected

avaya

s8710
s8700
s8500
s8300

CWE

NVD-CWE-Other

{"id": "CVE-2007-1367", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2007-03-09T22:19:00.000", "references": [{"url": "http://secunia.com/advisories/24397", "source": "cve@mitre.org"}, {"url": "http://support.avaya.com/elmodocs2/security/ASA-2007-064.htm", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/33297", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/22866", "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the login page in Avaya Communications Manager (CM) S87XX, S8500, and S8300 products before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Login field."}, {"lang": "es", "value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la p\u00e1gina de autenticaci\u00f3n de los productos Avaya Communications Manager (CM) S87XX, S8500 y S8300 anteriores al 3.1.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n mediante el campo Login."}], "lastModified": "2008-09-05T21:20:18.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:avaya:s8710:cm_2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80FAA203-5F76-4C21-AC05-57514C431653"}, {"criteria": "cpe:2.3:h:avaya:s8710:cm_3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32CD9BFE-4442-4CF0-9139-F9D7F2BC7E58"}, {"criteria": "cpe:2.3:h:avaya:s8710:r2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68B1272B-8B71-4D2D-A5E4-0E7828500C22"}, {"criteria": "cpe:2.3:h:avaya:s8710:r2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7C7B9C0-91A2-4529-B879-60DE043E719C"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:avaya:s8300:cm_2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D4D445B-498F-4513-A0F8-49B3E8D2D80A"}, {"criteria": "cpe:2.3:h:avaya:s8300:cm_3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CFBC7428-E9E3-444D-908C-124746E673B3"}, {"criteria": "cpe:2.3:h:avaya:s8300:r2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20C0BD87-CE4B-49D2-89BE-EF282C43AD72"}, {"criteria": "cpe:2.3:h:avaya:s8300:r2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3E6C4A8-59F4-43EE-8413-E95289037598"}, {"criteria": "cpe:2.3:h:avaya:s8500:cm_2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D558C4A-8656-47D6-BA5B-4B6BD9A8C6E4"}, {"criteria": "cpe:2.3:h:avaya:s8500:cm_3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D421904B-2791-42C8-AAB5-BEAC5F954534"}, {"criteria": "cpe:2.3:h:avaya:s8500:r2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE76357A-27E6-4D85-9AA0-1BB658C41568"}, {"criteria": "cpe:2.3:h:avaya:s8500:r2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C56C5FDB-24E2-479D-87CA-164CD28567D3"}, {"criteria": "cpe:2.3:h:avaya:s8700:cm_2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDDAC89B-F0D4-4373-835F-99AF4F0BCF3F"}, {"criteria": "cpe:2.3:h:avaya:s8700:cm_3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0042D294-4AF7-45F5-B356-13B72044D9B4"}, {"criteria": "cpe:2.3:h:avaya:s8700:r2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEF6C16F-8EDF-4A24-BFEF-6A304D654EEB"}, {"criteria": "cpe:2.3:h:avaya:s8700:r2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D982AE39-BB57-49E7-B5FE-5EF1ADE2F019"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}