| Vendor |
|
| Product | Avaya IP Office Contact Center |
| Affected Version(s) | 10.1.2.1 Build 9400 and probably prior |
| Tested Version(s) | 10.1.2.1 Build 9400 |
| Vendor Notification | January 24, 2019 |
| Advisory Publication | January 24, 2019 [without technical details] |
| Vendor Fix | N/A |
| Public Disclosure | N/A |
| Latest Modification | January 24, 2019 |
| CVE Identifier(s) | Pending |
| Product Description | Avaya is an American multinational technology company headquartered in Santa Clara, California that specializes in business communications, specifically unified communications, contact center, and services. |
| Credits | Tan Peng Fei Eddie, Security Researcher & Penetration Tester @wizlynx group |
| SQL Injection | |||
| Severity: Critical | CVSS Score: 9.8 | CWE-ID: CWE-89, CWE-94, CWE-116 | Status: Not Fixed |
| Vulnerability Description | |||
| The web application running on Avaya IP Office Contact Center is affected by SQL Injection affecting Version: 10.1.2.1 Build 9400 and probably prior versions. An SQL injection occurs when a value originating from the client's request is used within a SQL query without proper sanitisation. This could allow attackers to execute arbitrary SQL code and steal data or use the additional functionality of the database server to take control of more server components. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Unchanged |
| Attack Complexity | Low | Confidentiality Impact | High |
| Privileges Required | None | Integrity Impact | High |
| User Interaction | None | Availability Impact | High |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.