ID CVE-2012-3811
Summary Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012 Maintenance Release and 8.0 before 8.0.9.13 Q1 2012 Maintenance Release allows remote attackers to execute arbitrary code by uploading an executable file and then accessing it via a direct request. Per: http://cwe.mitre.org/data/definitions/434.html 'CWE-434: Unrestricted Upload of File with Dangerous Type'
References
Vulnerable Configurations
  • cpe:2.3:a:avaya:ip_office_customer_call_reporter:7.0:*:*:*:*:*:*:*
    cpe:2.3:a:avaya:ip_office_customer_call_reporter:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:avaya:ip_office_customer_call_reporter:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:avaya:ip_office_customer_call_reporter:8.0:*:*:*:*:*:*:*
CVSS
Base: 10.0 (as of 17-07-2012 - 04:00)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:C/I:C/A:C
refmap via4
confirm https://downloads.avaya.com/css/P8/documents/100164021
misc http://zerodayinitiative.com/advisories/ZDI-12-106/
saint via4
bid 54225
description Avaya IP Office Customer Call Reporter ImageUpload.ashx file upload
id net_avayaipofficever
osvdb 83399
title avaya_ip_office_customer_call_reporter_imageupload
type remote
Last major update 17-07-2012 - 04:00
Published 03-07-2012 - 19:55
Last modified 17-07-2012 - 04:00
Back to Top