Vulnerabilities (CVE)

Filtered by vendor Avaya Subscribe
Total 132 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-25649 1 Avaya 1 Aura Utility Services 2024-06-04 2.1 LOW 5.5 MEDIUM
An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Utility Services. This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be available to a privileged user. Affects all 7.x versions of Avaya Aura Utility Services
CVE-2022-38168 1 Avaya 4 Scopia Pathfinder 10 Pts, Scopia Pathfinder 10 Pts Firmware, Scopia Pathfinder 20 Pts and 1 more 2024-05-17 N/A 9.1 CRITICAL
Broken Access Control in User Authentication in Avaya Scopia Pathfinder 10 and 20 PTS version 8.3.7.0.4 allows remote unauthenticated attackers to bypass the login page, access sensitive information, and reset user passwords via URL modification.
CVE-2021-25651 1 Avaya 1 Aura Utility Services 2024-05-17 4.6 MEDIUM 7.8 HIGH
A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to escalate privileges. Affects all 7.x versions of Avaya Aura Utility Services
CVE-2021-25650 1 Avaya 1 Aura Utility Services 2024-05-17 4.6 MEDIUM 8.8 HIGH
A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to execute specially crafted scripts as a privileged user. Affects all 7.x versions of Avaya Aura Utility Services
CVE-2009-0115 8 Avaya, Christophe.varoqui, Debian and 5 more 11 Intuity Audix Lx, Message Networking, Messaging Storage Server and 8 more 2024-02-16 7.2 HIGH 7.8 HIGH
The Device Mapper multipathing driver (aka multipath-tools or device-mapper-multipath) 0.4.8, as used in SUSE openSUSE, SUSE Linux Enterprise Server (SLES), Fedora, and possibly other operating systems, uses world-writable permissions for the socket file (aka /var/run/multipathd.sock), which allows local users to send arbitrary commands to the multipath daemon.
CVE-2004-0594 6 Avaya, Debian, Hp and 3 more 6 Converged Communications Server, Debian Linux, Hp-ux and 3 more 2024-02-15 5.1 MEDIUM N/A
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.
CVE-2004-0112 24 4d, Apple, Avaya and 21 more 65 Webstar, Mac Os X, Mac Os X Server and 62 more 2024-02-15 5.0 MEDIUM N/A
The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.
CVE-2006-1058 2 Avaya, Busybox 5 Aura Application Enablement Services, Aura Sip Enablement Services, Message Networking and 2 more 2024-02-09 2.1 LOW 5.5 MEDIUM
BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.
CVE-2001-1494 2 Avaya, Kernel 7 Cvlan, Integrated Management Suit, Interactive Response and 4 more 2024-01-26 2.1 LOW 5.5 MEDIUM
script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command.
CVE-2009-3939 7 Avaya, Canonical, Debian and 4 more 18 Aura Application Enablement Services, Aura Communication Manager, Aura Session Manager and 15 more 2024-01-25 6.6 MEDIUM 7.1 HIGH
The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.
CVE-2023-7031 1 Avaya 1 Aura Experience Portal 2024-01-25 N/A 4.3 MEDIUM
Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support.
CVE-2004-0079 23 4d, Apple, Avaya and 20 more 66 Webstar, Mac Os X, Mac Os X Server and 63 more 2023-12-28 5.0 MEDIUM 7.5 HIGH
The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
CVE-2023-3722 1 Avaya 1 Aura Device Services 2023-12-10 N/A 9.8 CRITICAL
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.
CVE-2023-3527 1 Avaya 1 Call Management System 2023-12-10 N/A 6.8 MEDIUM
A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel.  
CVE-2023-31187 1 Avaya 1 Ix Workforce Engagement 2023-12-10 N/A 6.5 MEDIUM
Avaya IX Workforce Engagement v15.2.7.1195 - CWE-522: Insufficiently Protected Credentials
CVE-2023-32218 1 Avaya 1 Ix Workforce Engagement 2023-12-10 N/A 6.1 MEDIUM
Avaya IX Workforce Engagement v15.2.7.1195 - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CVE-2023-31186 1 Avaya 1 Ix Workforce Engagement 2023-12-10 N/A 5.3 MEDIUM
Avaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response Discrepancy
CVE-2021-25657 1 Avaya 1 Ip Office 2023-12-10 N/A 7.8 HIGH
A privilege escalation vulnerability was discovered in Avaya IP Office Admin Lite and USB Creator that may potentially allow a local user to escalate privileges. This issue affects Admin Lite and USB Creator 11.1 Feature Pack 2 Service Pack 1 and earlier versions.
CVE-2022-2249 1 Avaya 1 Aura Communication Manager 2023-12-10 N/A 6.7 MEDIUM
Privilege escalation related vulnerabilities were discovered in Avaya Aura Communication Manager that may allow local administrative users to escalate their privileges. This issue affects Communication Manager versions 8.0.0.0 through 8.1.3.3 and 10.1.0.0.
CVE-2022-2975 1 Avaya 1 Aura Application Enablement Services 2023-12-10 N/A 6.7 MEDIUM
A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. This issue affects Application Enablement Services versions 8.0.0.0 through 8.1.3.4 and 10.1.0.0 through 10.1.0.1. Versions prior to 8.0.0.0 are end of manufacturing support and were not evaluated.