OSVDB ID: 33300 Title: Avaya Multiple Products Unspecified Web Page Shell Command Injection |
Info |
|
|
Dates |
||||
|
|
Description |
Avaya Communication Manager in Avaya S8300 Media Server, S8500 Media Server, S87XX-Series Media Server, and Avaya SIP Enablement Services (SES)contain a flaw that may allow a malicious user to compromise a vulnerable system. Unspecified input validation errors in the input fields of certain maintenance web pages allow for shell command injection. A remote authenticated user could exploit this vulnerability to execute arbitrary shell commands at the same privilege level as the logged in user, resulting in a loss of integrity. |
Classification |
Location:
Remote / Network Access
Attack Type: Input Manipulation Impact: Loss of Integrity Disclosure: OSVDB Verified |
Solution |
Upgrade to the following versions of the affected products as they have been reported to fix this vulnerability: Avaya S8300 Media Server: Communication Manager version 3.1.3 or higher Avaya S8500 Media Server: Communication Manager version 3.1.3 or higher Avaya S87XX-Series Media Server: Communication Manager version 3.1.3 or higher Avaya SIP Enablement Services (SES): update not available The vendor recommends that following actions be taken for products where an update is not available: Restrict local and network access to the server. This restriction should be enforced through the use of physical security, firewalls, ACLs, VPNs, and other generally-accepted networking practices until such time as an update becomes available and can be installed. |
Products |
|
References |
Credit |
Unknown or Incomplete |