Avaya Call Management System CSV injection vulnerability

CVE-2023-3527

6.8MEDIUM

Key Information

Vendor: Avaya
Status: Avaya Call Management System
Vendor: CVE Published:; 18 July 2023

Summary

A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel.

Affected Version(s)

Avaya Call Management System = 19.x.x.x

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 18, 2023
Vulnerability Reserved.
Jul 6, 2023

Collectors

NVD DatabaseMitre Database