wizlynx group | Reflected Cross Site Scripting (XSS) in Avaya IP Office Contact Center

Vendor
Product	Avaya IP Office Contact Center
Affected Version(s)	10.1.2.1 Build 9400 and probably prior
Tested Version(s)	10.1.2.1 Build 9400
Vendor Notification	January 24, 2019
Advisory Publication	January 24, 2019 [without technical details]
Vendor Fix	N/A
Public Disclosure	N/A
Latest Modification	January 24, 2019
CVE Identifier(s)	Pending
Product Description	Avaya is an American multinational technology company headquartered in Santa Clara, California that specializes in business communications, specifically unified communications, contact center, and services.
Credits	Tan Peng Fei Eddie, Security Researcher & Penetration Tester @wizlynx group - Toh Yao Xiang, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

SQL Injection
Severity: Medium	CVSS Score: 6.1	CWE-ID: CWE-79	Status: Not Fixed
Vulnerability Description
The web application running on Avaya IP Office Contact Center is affected by Reflected Cross Site Scripting affecting Version: 10.1.2.1 Build 9400 and probably prior versions. These vulnerabilities could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web client interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
CVSS Base Score
Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None