Vulnerabilities > CVE-2020-7032 - XXE vulnerability in Avaya Aura System Manager and Weblm
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
NONE Availability impact
HIGH Summary
An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html
- http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html
- http://seclists.org/fulldisclosure/2020/Nov/31
- http://seclists.org/fulldisclosure/2020/Nov/31
- https://downloads.avaya.com/css/P8/documents/101072249
- https://downloads.avaya.com/css/P8/documents/101072249
- https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/
- https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager/