Scribd Logo
Upload

Welcome to Scribd!

  • 11 views

    XSS - Part 3

    Uploaded by

    Silviu Pricope
    Cybersecurity - XSS vulnerability description

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    XSS - Part 3

    Uploaded by

    Silviu Pricope
    11 views2 pages
    Cybersecurity - XSS vulnerability description

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cybersecurity - XSS vulnerability description

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    11 views2 pages

    XSS - Part 3

    Uploaded by

    Silviu Pricope
    Cybersecurity - XSS vulnerability description

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    #############################################################

    #
    # COMPASS SECURITY ADVISORY
    # https://www.compass-security.com/research/advisories/
    #
    #############################################################
    #
    # Product: Avaya Equinox
    # Vendor: Avaya
    # CSNC ID: CSNC-2020-028
    # CVE ID: CVE-2020-7038
    # Subject: Missing Function Level Authorization
    # Risk: High
    # Effect: Remotely exploitable
    # Authors: Sylvain Heiniger <sylvain.heiniger@compass-security.com>
    # Alex Joss <alex.joss@compass-security.com>
    # Date: 2021-05-19
    #
    #############################################################

    Introduction
    ------------
    Avaya Equinox® Conferencing [1] delivers an all-inclusive
    solution for voice, video and desktop sharing. It enables
    organizations to deploy on virtualized platforms realizing
    simplicity and efficiency providing the elegant and simple
    user experience that Avaya Workspaces offers. By leveraging
    virtualized platforms there are scaling and redundancy
    capabilities to enable lower TCO for customers with a full
    video endpoint conferencing suite of features. Solution
    components include: Avaya Equinox Management, Avaya Equinox
    Media Server, Avaya Aura Web Gateway, Avaya Equinox H.323
    Edge, Avaya Equinox Streaming and Recording, Avaya Aura
    Session Border Controller, Avaya Workplace Client, Avaya XT
    Room Systems, Avaya Collaboration Unit CU360.

    During a security assessment, Compass Security analysts


    found that the API, delivering stills of screensharing and
    whiteboard sessions, lacks authentication and authorization
    checks.

    Affected
    --------
    Vulnerable version:
    * Avaya Equinox® Conferencing 9.0 through 9.1 FP10

    Patched version:
    * Avaya Meetings® Server R9.1 FP11 or later

    Workaround / Fix
    ----------------
    Install the updated version provided by Avaya [2].

    Timeline
    --------
    2020-11-03: Discovery by Sylvain Heiniger
    2020-11-13: Initial vendor notification
    2020-11-19: Initial vendor response
    2021-04-28: Release of fixed Version / Patch
    2021-05-19: Coordinated public disclosure date

    References
    ----------
    [1] https://support.avaya.com/products/P1670/avaya-equinox-conferencing/9.1.x
    [2] https://downloads.avaya.com/css/P8/documents/101075574

    You might also like