Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
50139070.8%CRITICAL

Related CVEs

100+
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2025-49186The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.MEDIUM6.523.8%Jun 12, 2025
CVE-2025-1041An improper input validation discovered in Avaya Call Management System could allow an unauthorized remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0.CRITICAL9.827.9%Jun 10, 2025
CVE-2024-12756An HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user.MEDIUM6.117.5%Feb 11, 2025
CVE-2024-12755A Cross-Site Scripting (XSS) vulnerability in Avaya Spaces may have allowed unauthorized code execution and potential disclose of sensitive information.MEDIUM5.420.8%Feb 11, 2025
CVE-2024-7480An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.MEDIUM4.44.6%Aug 8, 2024
CVE-2024-7477A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database.  Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support.MEDIUM6.78.7%Aug 8, 2024
CVE-2024-4197An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1.CRITICAL9.851.2%Jun 25, 2024
CVE-2024-4196An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1.CRITICAL9.843.6%Jun 25, 2024
CVE-2023-7031Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support.MEDIUM4.325.3%Jan 17, 2024
CVE-2023-3722An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.CRITICAL9.887.1%Jul 19, 2023
CVE-2023-3527A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel.   MEDIUM6.841.3%Jul 18, 2023
CVE-2023-32218Avaya IX Workforce Engagement v15.2.7.1195 - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')MEDIUM6.125.3%May 30, 2023
CVE-2023-31187Avaya IX Workforce Engagement v15.2.7.1195 - CWE-522: Insufficiently Protected CredentialsMEDIUM6.537.4%May 30, 2023
CVE-2023-31186Avaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response DiscrepancyMEDIUM5.335.9%May 30, 2023
CVE-2022-38168Broken Access Control in User Authentication in Avaya Scopia Pathfinder 10 and 20 PTS version 8.3.7.0.4 allows remote unauthenticated attackers to bypass the login page, access sensitive information, and reset user passwords via URL modification.CRITICAL9.1Nov 3, 2022
CVE-2022-2249Privilege escalation related vulnerabilities were discovered in Avaya Aura Communication Manager that may allow local administrative users to escalate their privileges. This issue affects Communication Manager versions 8.0.0.0 through 8.1.3.3 and 10.1.0.0.MEDIUM6.7Oct 12, 2022
CVE-2022-2975A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. This issue affects Application Enablement Services versions 8.0.0.0 through 8.1.3.4 and 10.1.0.0 through 10.1.0.1. Versions prior to 8.0.0.0 are end of manufacturing support and were not evaluated.MEDIUM6.7Oct 6, 2022
CVE-2021-25657A privilege escalation vulnerability was discovered in Avaya IP Office Admin Lite and USB Creator that may potentially allow a local user to escalate privileges. This issue affects Admin Lite and USB Creator 11.1 Feature Pack 2 Service Pack 1 and earlier versions.HIGH7.8Sep 2, 2022
CVE-2021-25654An arbitrary code execution vulnerability was discovered in Avaya Aura Device Services that may potentially allow a local user to execute specially crafted scripts. Affects 7.0 through 8.1.4.0 versions of Avaya Aura Device Services.HIGH7.8Jun 25, 2021
CVE-2021-25656Stored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which could allow an authenticated user to potentially disclose sensitive information. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix).MEDIUM5.4Jun 24, 2021