CVE-2008-6573

EUVD-2008-6536

01.04.2009, 22:30

Multiple SQL injection vulnerabilities in Avaya SIP Enablement Services (SES) in Avaya Avaya Communication Manager 3.x, 4.0, and 5.0 (1) allow remote attackers to execute arbitrary SQL commands via unspecified vectors related to profiles in the SIP Personal Information Manager (SPIM) in the web interface; and allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to (2) permissions for SPIM profiles in the web interface and (3) a crafted SIP request to the SIP server.

SQL Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.8 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Score

CVSS 3.x

EPSS Score

Percentile: 72%

Affected Products (NVD)

Vendor	Product	Version
avaya	communication_manager	𝑥 ≤ 3.1
avaya	communication_manager	3.1.1
avaya	communication_manager	3.1.2
avaya	communication_manager	3.1.3
avaya	communication_manager	3.1.4
avaya	communication_manager	3.1.4:sp1
avaya	communication_manager	3.1.4:sp2
avaya	communication_manager	3.1.5
avaya	communication_manager	3.1.5:sp0
avaya	communication_manager	4.0
avaya	communication_manager	5.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

References

http://osvdb.org/44284

http://osvdb.org/44285

http://osvdb.org/44286

http://secunia.com/advisories/29744

http://support.avaya.com/elmodocs2/security/ASA-2008-150.htm

http://support.avaya.com/elmodocs2/security/ASA-2008-151.htm

http://www.securityfocus.com/bid/28682

http://www.voipshield.com/research-details.php?id=22

http://www.voipshield.com/research-details.php?id=25

http://www.voipshield.com/research-details.php?id=26

https://exchange.xforce.ibmcloud.com/vulnerabilities/41730

https://exchange.xforce.ibmcloud.com/vulnerabilities/41733

http://osvdb.org/44284

http://osvdb.org/44285

http://osvdb.org/44286

http://secunia.com/advisories/29744

http://support.avaya.com/elmodocs2/security/ASA-2008-150.htm

http://support.avaya.com/elmodocs2/security/ASA-2008-151.htm

http://www.securityfocus.com/bid/28682

http://www.voipshield.com/research-details.php?id=22

http://www.voipshield.com/research-details.php?id=25

http://www.voipshield.com/research-details.php?id=26

https://exchange.xforce.ibmcloud.com/vulnerabilities/41730

https://exchange.xforce.ibmcloud.com/vulnerabilities/41733