CRITICAL🇵🇱 Wersja polska

CVE-2024-4196

CVSS 10.0v3.1pub. 2024-06-25upd. 2025-10-01

An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1.

🤖 AI Analysis
How it works

An attacker sends a specially crafted HTTP request to the Web Control component of the Avaya IP Office system. Lack of proper input data validation allows malicious data to be smuggled in, which is then interpreted and executed by the system as commands or code. The attack does not require authentication or user interaction, and its effects extend beyond the boundaries of the attacked component (scope changed).

Impact

Attackers can gain full control over the system, including reading and modifying sensitive data and disrupting service availability — which corresponds to the maximum level of impact on confidentiality, integrity, and availability.

Mitigation & patch

Avaya IP Office should be updated to version 11.1.3.1 or newer as soon as possible. Detailed information about the patch is available in the official Avaya security bulletin at: https://download.avaya.com/css/public/documents/101090768

Who is affected

All versions of Avaya IP Office prior to 11.1.3.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Avaya Ip Office

    APP
    Avaya
    < 11.1.3.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-4197CRITICAL9.9PL ✓ten sam produkt

Unrestricted file upload umożliwiający RCE w Avaya IP Office (One-X)

CVE-2017-11309CRITICAL9.6ten sam produkt

Buffer overflow in the SoftConsole client in Avaya IP Office before 10.1.1 allows remote servers to execute ar...

CVE-2021-25657HIGH7.8ten sam produkt

A privilege escalation vulnerability was discovered in Avaya IP Office Admin Lite and USB Creator that may pot...

CVE-2019-7005HIGH7.5ten sam produkt

A vulnerability was discovered in the web interface component of IP Office that may potentially allow a remote...

CVE-2016-5285HIGH7.5ten sam produkt

A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL che...