Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability

Vendor: Avaya

Vendor URL: https://www.avaya.com/

Versions affected: 10.0 through 10.1 SP3, 11.0

Systems Affected: Avaya IP Office

Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]com

Advisory URL: https://downloads.avaya.com/css/P8/documents/101054317

Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614

Risk: Medium

Summary

The One-X Web Portal was vulnerable to multiple persistent or stored cross-site scripting (XSS) vulnerabilities. This occurs when JavaScript or HTML code entered as input to a web application is stored within back-end systems, and that code is later used in a dynamically-generated web page without being correctly HTML-encoded.

Location

Conference Scheduler Service, Add Tab and Add Group functionalities.

Impact

This vulnerability could allow an authenticated user to perform stored cross site scripting attacks that could affect other application users, as well as capturing a user’s session token or credentials.

If a lower-privileged user were to exploit this vulnerability with a suitable payload, when a user with higher privileges viewed that page the malicious JavaScript code would be executed within the context of the currently authenticated user’s session, resulting in a privilege escalation attack.

Details

The following request edits the user’s application form, in order to inject a malicious JavaScript payload, targeting the same user role as an example proof of concept:

POST /inyama/ConferenceSchedulerService HTTP/1.1<br><redacted><br><br>7|0|14|https://<redacted>|com.avaya.client.gadgets.confscheduler.ConferenceSchedulerService|scheduleConferenceRequest|com.avaya.client.gadgets.confscheduler.ScheduledConference/1439677524|Z|Test"><img src="#" onerror="alert(document.cookie)">|5289||Avaya IP Office Conference: Audio-5289;|java.util.HashSet/3273092938|<redacted></redacted></redacted></redacted>

The following screenshot shows the execution of stored XSS payload in the second user session:

                                                                      Figure 1 Triggering stored XSS Payload

Recommendation

For 10.x, upgrade to 10.1 SP4 or later. For 11.x, upgrade to 11.0 SP1 or later.

According to the vendor, the “Resolution” column at Avaya advisory URL will be updated, as fixes are made available.

Vendor Communication

2017-02-22 Discovered

2017-02-24 Advisory reported to Avaya

2017-03-01 Avaya Acknowledgement

2018-12-21 Patch released

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.