CVE-2018-15610
12.09.2018, 21:29
A vulnerability in the one-X Portal component of Avaya IP Office allows an authenticated attacker to read and delete arbitrary files on the system. Affected versions of Avaya IP Office include 9.1 through 9.1 SP12, 10.0 through 10.0 SP7, and 10.1 through 10.1 SP2.
| Vendor | Product | Version |
|---|---|---|
| avaya | ip_office | 9.1 |
| avaya | ip_office | 9.1:sp1 |
| avaya | ip_office | 9.1:sp10 |
| avaya | ip_office | 9.1:sp11 |
| avaya | ip_office | 9.1:sp12 |
| avaya | ip_office | 9.1:sp2 |
| avaya | ip_office | 9.1:sp3 |
| avaya | ip_office | 9.1:sp4 |
| avaya | ip_office | 9.1:sp5 |
| avaya | ip_office | 9.1:sp6 |
| avaya | ip_office | 9.1:sp7 |
| avaya | ip_office | 9.1:sp8 |
| avaya | ip_office | 9.1:sp9 |
| avaya | ip_office | 10.0 |
| avaya | ip_office | 10.0:sp1 |
| avaya | ip_office | 10.0:sp2 |
| avaya | ip_office | 10.0:sp3 |
| avaya | ip_office | 10.0:sp4 |
| avaya | ip_office | 10.0:sp5 |
| avaya | ip_office | 10.0:sp6 |
| avaya | ip_office | 10.0:sp7 |
| avaya | ip_office | 10.1 |
| avaya | ip_office | 10.1:sp1 |
| avaya | ip_office | 10.1:sp2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-284 - Improper Access ControlThe software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
References