Professional Documents
Culture Documents
XSS - Part 3
XSS - Part 3
XSS - Part 3
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Avaya Equinox
# Vendor: Avaya
# CSNC ID: CSNC-2020-028
# CVE ID: CVE-2020-7038
# Subject: Missing Function Level Authorization
# Risk: High
# Effect: Remotely exploitable
# Authors: Sylvain Heiniger <sylvain.heiniger@compass-security.com>
# Alex Joss <alex.joss@compass-security.com>
# Date: 2021-05-19
#
#############################################################
Introduction
------------
Avaya Equinox® Conferencing [1] delivers an all-inclusive
solution for voice, video and desktop sharing. It enables
organizations to deploy on virtualized platforms realizing
simplicity and efficiency providing the elegant and simple
user experience that Avaya Workspaces offers. By leveraging
virtualized platforms there are scaling and redundancy
capabilities to enable lower TCO for customers with a full
video endpoint conferencing suite of features. Solution
components include: Avaya Equinox Management, Avaya Equinox
Media Server, Avaya Aura Web Gateway, Avaya Equinox H.323
Edge, Avaya Equinox Streaming and Recording, Avaya Aura
Session Border Controller, Avaya Workplace Client, Avaya XT
Room Systems, Avaya Collaboration Unit CU360.
Affected
--------
Vulnerable version:
* Avaya Equinox® Conferencing 9.0 through 9.1 FP10
Patched version:
* Avaya Meetings® Server R9.1 FP11 or later
Workaround / Fix
----------------
Install the updated version provided by Avaya [2].
Timeline
--------
2020-11-03: Discovery by Sylvain Heiniger
2020-11-13: Initial vendor notification
2020-11-19: Initial vendor response
2021-04-28: Release of fixed Version / Patch
2021-05-19: Coordinated public disclosure date
References
----------
[1] https://support.avaya.com/products/P1670/avaya-equinox-conferencing/9.1.x
[2] https://downloads.avaya.com/css/P8/documents/101075574