CVE-2020-7032

CWE-611 — XML External Entity (XXE)3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 37.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Avaya System Manager Avaya Weblm Avaya Aura System Manager

Timeline

PublishedNov 13

Latest updateMay 24

Description

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:HExploitability: 1.2 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5avaya/weblm7.0 — 7.1.3.6+2

▶NVDavaya/weblm8.0.0 — 8.1.3+1

▶CVEListV5avaya/system_manager7.0 — 7.1.3.6+2

▶NVDavaya/aura_system_manager7.0 — 7.1.3.6+1

🔴Vulnerability Details

GHSA

GHSA-q87h-3ppq-wwf5: An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side re↗2022-05-24

▶

CVEList

Avaya WebLM Improper Restriction of XML External Entity Reference↗2020-11-13

▶