Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Vendor: Avaya
Vendor URL: https://www.avaya.com/
Versions affected: 10.0 through 10.1 SP3, 11.0
Systems Affected: Avaya IP Office
Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]com
Advisory URL: https://downloads.avaya.com/css/P8/documents/101054317
Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614
Risk: Medium
Summary
The One-X Web Portal was vulnerable to multiple persistent or stored cross-site scripting (XSS) vulnerabilities. This occurs when JavaScript or HTML code entered as input to a web application is stored within back-end systems, and that code is later used in a dynamically-generated web page without being correctly HTML-encoded.
Location
Conference Scheduler Service, Add Tab and Add Group functionalities.
Impact
This vulnerability could allow an authenticated user to perform stored cross site scripting attacks that could affect other application users, as well as capturing a user’s session token or credentials.
If a lower-privileged user were to exploit this vulnerability with a suitable payload, when a user with higher privileges viewed that page the malicious JavaScript code would be executed within the context of the currently authenticated user’s session, resulting in a privilege escalation attack.
Details
The following request edits the user’s application form, in order to inject a malicious JavaScript payload, targeting the same user role as an example proof of concept:
POST /inyama/ConferenceSchedulerService HTTP/1.1
<REDACTED>
7|0|14|https://<REDACTED>|com.avaya.client.gadgets.confscheduler.ConferenceSchedulerService|scheduleConferenceRequest|com.avaya.client.gadgets.confscheduler.ScheduledConference/1439677524|Z|Test"><img src=# onerror=alert(document.cookie)>|5289||Avaya IP Office Conference: Audio-5289;|java.util.HashSet/3273092938|<REDACTED>
The following screenshot shows the execution of stored XSS payload in the second user session:
Figure 1 Triggering stored XSS Payload
Recommendation
For 10.x, upgrade to 10.1 SP4 or later. For 11.x, upgrade to 11.0 SP1 or later.
According to the vendor, the “Resolution” column at Avaya advisory URL will be updated, as fixes are made available.
Vendor Communication
2017-02-22 Discovered
2017-02-24 Advisory reported to Avaya
2017-03-01 Avaya Acknowledgement
2018-12-21 Patch released
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.