Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Vendor URL: https://www.avaya.com/
Versions affected: 10.0 through 10.1 SP3, 11.0
Systems Affected: Avaya IP Office
Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]com
Advisory URL: https://downloads.avaya.com/css/P8/documents/101054317
Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614
Conference Scheduler Service, Add Tab and Add Group functionalities.
This vulnerability could allow an authenticated user to perform stored cross site scripting attacks that could affect other application users, as well as capturing a user’s session token or credentials.
POST /inyama/ConferenceSchedulerService HTTP/1.1
7|0|14|https://<REDACTED>|com.avaya.client.gadgets.confscheduler.ConferenceSchedulerService|scheduleConferenceRequest|com.avaya.client.gadgets.confscheduler.ScheduledConference/1439677524|Z|Test"><img src=# onerror=alert(document.cookie)>|5289||Avaya IP Office Conference: Audio-5289;|java.util.HashSet/3273092938|<REDACTED>
The following screenshot shows the execution of stored XSS payload in the second user session:
Figure 1 Triggering stored XSS Payload
For 10.x, upgrade to 10.1 SP4 or later. For 11.x, upgrade to 11.0 SP1 or later.
According to the vendor, the “Resolution” column at Avaya advisory URL will be updated, as fixes are made available.
2017-02-24 Advisory reported to Avaya
2017-03-01 Avaya Acknowledgement
2018-12-21 Patch released
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.