Security Research & Advisories

SQL Injection Vulnerabilities in Avaya IP Office Contact Center

Product Avaya IP Office Contact Center
Affected Version(s) Build 9400 and probably prior
Tested Version(s) Build 9400
Vendor Notification January 24, 2019
Advisory Publication January 24, 2019 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification January 24, 2019
CVE Identifier(s) Pending
Product Description Avaya is an American multinational technology company headquartered in Santa Clara, California that specializes in business communications, specifically unified communications, contact center, and services.
Credits Tan Peng Fei Eddie, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

SQL Injection
Severity: Critical CVSS Score: 9.8 CWE-ID: CWE-89, CWE-94, CWE-116 Status: Not Fixed
Vulnerability Description
The web application running on Avaya IP Office Contact Center is affected by SQL Injection affecting Version: Build 9400 and probably prior versions. An SQL injection occurs when a value originating from the client's request is used within a SQL query without proper sanitisation. This could allow attackers to execute arbitrary SQL code and steal data or use the additional functionality of the database server to take control of more server components.
CVSS Base Score
Attack Vector Network Scope Unchanged
Attack Complexity Low Confidentiality Impact High
Privileges Required None Integrity Impact High
User Interaction None Availability Impact High


Full details about the vulnerability will be disclosed once the vendor has provided a patch.