Vulnerability Details : CVE-2019-7004
Potential exploit
A Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server could allow unauthorized code execution and potentially disclose sensitive information. All product versions 11.x are affected. Product versions prior to 11.0, including unsupported versions, were not evaluated.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-7004
- Avaya » Ip Office Application ServerVersions from including (>=) 11.0 and up to, including, (<=) 11.0.4.0cpe:2.3:a:avaya:ip_office_application_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-7004
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-7004
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
6.4
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
1.2
|
5.2
|
Avaya, Inc. | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2019-7004
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- securityalerts@avaya.com (Secondary)
References for CVE-2019-7004
-
http://packetstormsecurity.com/files/156476/Avaya-IP-Office-Application-Server-11.0.0.0-Cross-Site-Scripting.html
Avaya IP Office Application Server 11.0.0.0 Cross Site Scripting ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://support.avaya.com/css/P8/documents/101062833
ASA-2019-213Vendor Advisory
Jump to