cbcvebase.
CVE-2012-3811
published 2012-07-03

CVE-2012-3811: Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012…

PriorityP277critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.88%
99.1th percentile
Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012 Maintenance Release and 8.0 before 8.0.9.13 Q1 2012 Maintenance Release allows remote attackers to execute arbitrary code by uploading an executable file and then accessing it via a direct request.

Affected

2 ranges
VendorProductVersion rangeFixed in
avayaip_office_customer_call_reporter
avayaip_office_customer_call_reporter

Detection & IOCsextracted from sources · hover to see the quote

url/ImageUpload.ashx
pathImageUpload.ashx
  • Monitor for multipart/form-data POST requests to ImageUpload.ashx — this is the upload vector used by the exploit
  • A successful upload response contains the JSON key-value pair '"Key":"RadUAG_success","Value":true' — detect this in server responses to identify successful exploitation
  • The exploit uploads an ASPX-wrapped EXE payload (exe_aspx format) — look for .aspx file uploads to the Wallboard application directory
  • The Metasploit module targets the default URI path '/' for Avaya CCR — monitor all HTTP methods to ImageUpload.ashx regardless of base path
  • Affected versions confirmed in exploit testing are 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2 — prioritize detection on these versions
  • ·The exploit requires no authentication — the vulnerability is an authentication bypass, meaning no credentials are needed to reach ImageUpload.ashx
  • ·Patched versions are 7.0.5.8 Q1 2012 Maintenance Release and 8.0.9.13 Q1 2012 Maintenance Release — detections should focus on unpatched instances below these versions
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.