Vulnerability Name: | CVE-2008-6707 (CCN-43389) | ||||||||
Assigned: | 2008-06-25 | ||||||||
Published: | 2008-06-25 | ||||||||
Updated: | 2017-08-17 | ||||||||
Summary: | The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, does not perform authentication for certain functionality, which allows remote attackers to obtain sensitive information and access restricted functionality via (1) the certificate installation utility, (2) unspecified scripts in the objects folder, (3) an "unnecessary default application," (4) unspecified scripts in the states folder, (5) an unspecified "default application" that lists server configuration, and (6) "full system help." | ||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
CVSS v2 Severity: | 6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N) 5.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:U/RC:UR)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:UR)
| ||||||||
Vulnerability Type: | CWE-287 | ||||||||
Vulnerability Consequences: | Gain Access | ||||||||
References: | Source: MITRE Type: CNA CVE-2008-6707 Source: OSVDB Type: UNKNOWN 46598 Source: OSVDB Type: UNKNOWN 46599 Source: OSVDB Type: UNKNOWN 46600 Source: CCN Type: SA30751 Avaya SIP Enablement Services Multiple Vulnerabilities Source: SECUNIA Type: UNKNOWN 30751 Source: CONFIRM Type: Vendor Advisory http://support.avaya.com/elmodocs2/security/ASA-2008-268.htm Source: CCN Type: ASA-2008-268 Additional Input Validation Vulnerabilities in Avaya SES SIP Server Source: CCN Type: Avaya Web site Telecommunication Systems by Avaya: Business Telecommunications for your Company Source: CCN Type: OSVDB ID: 46598 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated System Help Access Source: CCN Type: OSVDB ID: 46599 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Default Application Execution Source: CCN Type: OSVDB ID: 46600 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Multiple Folder Arbitrary Default Script Execution Source: BID Type: UNKNOWN 29939 Source: CCN Type: BID-29939 Avaya Communication Manager Multiple Security Vulnerabilities Source: MISC Type: UNKNOWN http://www.voipshield.com/research-details.php?id=86 Source: MISC Type: UNKNOWN http://www.voipshield.com/research-details.php?id=87 Source: CCN Type: VoIP Security Advisory, 2008-06-25 SIP Enablement Service Web Interface Default Application Execution Source: MISC Type: UNKNOWN http://www.voipshield.com/research-details.php?id=88 Source: MISC Type: UNKNOWN http://www.voipshield.com/research-details.php?id=89 Source: MISC Type: UNKNOWN http://www.voipshield.com/research-details.php?id=90 Source: MISC Type: UNKNOWN http://www.voipshield.com/research-details.php?id=91 Source: VUPEN Type: UNKNOWN ADV-2008-1943 Source: XF Type: UNKNOWN avaya-ses-objectsfolder-code-execution(43381) Source: XF Type: UNKNOWN avaya-ses-certificate-info-disclosure(43384) Source: XF Type: UNKNOWN avaya-ses-application-unauth-access(43389) Source: XF Type: UNKNOWN avaya-ses-application-unauth-access(43389) Source: XF Type: UNKNOWN avaya-ses-statesfolder-code-execution(43393) Source: XF Type: UNKNOWN avaya-ses-application-info-disclosure(43394) Source: XF Type: UNKNOWN avaya-ses-help-information-disclosure(43395) | ||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: ![]() | ||||||||
Vulnerability Name: | CVE-2008-6707 (CCN-43394) | ||||||||
Assigned: | 2008-06-25 | ||||||||
Published: | 2008-06-25 | ||||||||
Updated: | 2017-08-17 | ||||||||
Summary: | The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, does not perform authentication for certain functionality, which allows remote attackers to obtain sensitive information and access restricted functionality via (1) the certificate installation utility, (2) unspecified scripts in the objects folder, (3) an "unnecessary default application," (4) unspecified scripts in the states folder, (5) an unspecified "default application" that lists server configuration, and (6) "full system help." | ||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
CVSS v2 Severity: | 6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N) 5.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:U/RC:UR)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UR)
| ||||||||
Vulnerability Type: | CWE-287 | ||||||||
Vulnerability Consequences: | Obtain Information | ||||||||
References: | Source: MITRE Type: CNA CVE-2008-6707 Source: CCN Type: SA30751 Avaya SIP Enablement Services Multiple Vulnerabilities Source: CCN Type: ASA-2008-268 Additional Input Validation Vulnerabilities in Avaya SES SIP Server Source: CCN Type: Avaya Web site Telecommunication Systems by Avaya: Business Telecommunications for your Company Source: CCN Type: OSVDB ID: 46598 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated System Help Access Source: CCN Type: OSVDB ID: 46599 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Default Application Execution Source: CCN Type: OSVDB ID: 46600 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Multiple Folder Arbitrary Default Script Execution Source: CCN Type: BID-29939 Avaya Communication Manager Multiple Security Vulnerabilities Source: CCN Type: VoIP Security Advisory, 2008-06-25 SIP Enablement Service Web Interface Server Configuration Information Application Execution Source: XF Type: UNKNOWN avaya-ses-application-info-disclosure(43394) | ||||||||
Vulnerability Name: | CVE-2008-6707 (CCN-43395) | ||||||||
Assigned: | 2008-06-25 | ||||||||
Published: | 2008-06-25 | ||||||||
Updated: | 2008-06-25 | ||||||||
Summary: | Avaya SIP Enablement Service (SES) could allow a remote attacker to obtain sensitive information, caused by misconfiguration of the Web administration interface. A remote attacker could exploit this vulnerability to access full system help without authentication. | ||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
CVSS v2 Severity: | 6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N) 5.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:U/RC:UR)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UR)
| ||||||||
Vulnerability Consequences: | Obtain Information | ||||||||
References: | Source: MITRE Type: CNA CVE-2008-6707 Source: CCN Type: SA30751 Avaya SIP Enablement Services Multiple Vulnerabilities Source: CCN Type: ASA-2008-268 Additional Input Validation Vulnerabilities in Avaya SES SIP Server Source: CCN Type: Avaya Web site Telecommunication Systems by Avaya: Business Telecommunications for your Company Source: CCN Type: OSVDB ID: 46598 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated System Help Access Source: CCN Type: OSVDB ID: 46599 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Default Application Execution Source: CCN Type: OSVDB ID: 46600 Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Multiple Folder Arbitrary Default Script Execution Source: CCN Type: BID-29939 Avaya Communication Manager Multiple Security Vulnerabilities Source: CCN Type: VoIP Security Advisory, 2008-06-25 SIP Enablement Service Web Interface Unrestricted Help Access Source: XF Type: UNKNOWN avaya-ses-help-information-disclosure(43395) | ||||||||
Vulnerable Configuration: | Configuration CCN 1:![]() | ||||||||
BACK |