CVE-2020-7029

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://support.avaya.com/css/P8/documents/101070201	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:avaya:aura_communication_manager::::::::
	cpe:2.3:a:avaya:aura_communication_manager::::::::
	cpe:2.3:a:avaya:aura_messaging::::::::
	cpe:2.3:a:avaya:aura_messaging:7.1:-::::::
	cpe:2.3:a:avaya:aura_messaging:7.1:sp1::::::

History

No history.

Information

Published : 2020-08-11 23:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-7029

Mitre link : CVE-2020-7029

CVE.ORG link : CVE-2020-7029

JSON object : View

Products Affected

avaya

aura_communication_manager
aura_messaging

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2020-7029", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "securityalerts@avaya.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.6}]}, "published": "2020-08-11T23:15:11.590", "references": [{"url": "https://support.avaya.com/css/P8/documents/101070201", "tags": ["Vendor Advisory"], "source": "securityalerts@avaya.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Secondary", "source": "securityalerts@avaya.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el componente System Management Interface Web de Avaya Aura Communication Manager y Avaya Aura Messaging. Esta vulnerabilidad podr\u00eda permitir a un atacante remoto no autenticado realizar acciones de administraci\u00f3n Web con el nivel privilegiado del usuario autenticado. Las versiones afectadas del Communication Manager son 7.0.x, 7.1.x anteriores a 7.1.3.5 y 8.0.x. Las versiones afectadas de Messaging son 7.0.x, 7.1 y 7.1 SP1"}], "lastModified": "2020-08-17T18:35:03.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:avaya:aura_communication_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B2D1D2F-EDE8-40B0-AE63-715D53EAC2B9", "versionEndIncluding": "7.1.3.4", "versionStartIncluding": "7.0"}, {"criteria": "cpe:2.3:a:avaya:aura_communication_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "679841D8-6125-4FED-9122-C2D337F354AA", "versionEndExcluding": "8.1.0.0", "versionStartIncluding": "8.0"}, {"criteria": "cpe:2.3:a:avaya:aura_messaging:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "425188C6-4F93-40F7-9D78-5937FC182A4B", "versionEndExcluding": "7.1", "versionStartIncluding": "7.0"}, {"criteria": "cpe:2.3:a:avaya:aura_messaging:7.1:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE2234D7-2F36-40C0-97AD-E9C8B48A848D"}, {"criteria": "cpe:2.3:a:avaya:aura_messaging:7.1:sp1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71239989-8729-4434-8AB2-1AE983A80C49"}], "operator": "OR"}]}], "sourceIdentifier": "securityalerts@avaya.com"}