Vulnerability Name:

CVE-2008-6707 (CCN-43389)

Assigned:2008-06-25
Published:2008-06-25
Updated:2017-08-17
Summary:The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, does not perform authentication for certain functionality, which allows remote attackers to obtain sensitive information and access restricted functionality via (1) the certificate installation utility, (2) unspecified scripts in the objects folder, (3) an "unnecessary default application," (4) unspecified scripts in the states folder, (5) an unspecified "default application" that lists server configuration, and (6) "full system help."
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
5.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Authentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Athentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
Vulnerability Type:CWE-287
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2008-6707

Source: OSVDB
Type: UNKNOWN
46598

Source: OSVDB
Type: UNKNOWN
46599

Source: OSVDB
Type: UNKNOWN
46600

Source: CCN
Type: SA30751
Avaya SIP Enablement Services Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
30751

Source: CONFIRM
Type: Vendor Advisory
http://support.avaya.com/elmodocs2/security/ASA-2008-268.htm

Source: CCN
Type: ASA-2008-268
Additional Input Validation Vulnerabilities in Avaya SES SIP Server

Source: CCN
Type: Avaya Web site
Telecommunication Systems by Avaya: Business Telecommunications for your Company

Source: CCN
Type: OSVDB ID: 46598
Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated System Help Access

Source: CCN
Type: OSVDB ID: 46599
Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Default Application Execution

Source: CCN
Type: OSVDB ID: 46600
Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Multiple Folder Arbitrary Default Script Execution

Source: BID
Type: UNKNOWN
29939

Source: CCN
Type: BID-29939
Avaya Communication Manager Multiple Security Vulnerabilities

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=86

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=87

Source: CCN
Type: VoIP Security Advisory, 2008-06-25
SIP Enablement Service Web Interface Default Application Execution

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=88

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=89

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=90

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=91

Source: VUPEN
Type: UNKNOWN
ADV-2008-1943

Source: XF
Type: UNKNOWN
avaya-ses-objectsfolder-code-execution(43381)

Source: XF
Type: UNKNOWN
avaya-ses-certificate-info-disclosure(43384)

Source: XF
Type: UNKNOWN
avaya-ses-application-unauth-access(43389)

Source: XF
Type: UNKNOWN
avaya-ses-application-unauth-access(43389)

Source: XF
Type: UNKNOWN
avaya-ses-statesfolder-code-execution(43393)

Source: XF
Type: UNKNOWN
avaya-ses-application-info-disclosure(43394)

Source: XF
Type: UNKNOWN
avaya-ses-help-information-disclosure(43395)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:avaya:sip_enablement_services:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:sip_enablement_services:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:sip_enablement_services:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:sip_enablement_services:4.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.4:sp1:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.4:sp2:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.5:sp0:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2008-6707 (CCN-43394)

    Assigned:2008-06-25
    Published:2008-06-25
    Updated:2017-08-17
    Summary:The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, does not perform authentication for certain functionality, which allows remote attackers to obtain sensitive information and access restricted functionality via (1) the certificate installation utility, (2) unspecified scripts in the objects folder, (3) an "unnecessary default application," (4) unspecified scripts in the states folder, (5) an unspecified "default application" that lists server configuration, and (6) "full system help."
    CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): Low
    Integrity (I): None
    Availibility (A): None
    CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
    5.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:U/RC:UR)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Authentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
    4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UR)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Athentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    Vulnerability Type:CWE-287
    Vulnerability Consequences:Obtain Information
    References:Source: MITRE
    Type: CNA
    CVE-2008-6707

    Source: CCN
    Type: SA30751
    Avaya SIP Enablement Services Multiple Vulnerabilities

    Source: CCN
    Type: ASA-2008-268
    Additional Input Validation Vulnerabilities in Avaya SES SIP Server

    Source: CCN
    Type: Avaya Web site
    Telecommunication Systems by Avaya: Business Telecommunications for your Company

    Source: CCN
    Type: OSVDB ID: 46598
    Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated System Help Access

    Source: CCN
    Type: OSVDB ID: 46599
    Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Default Application Execution

    Source: CCN
    Type: OSVDB ID: 46600
    Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Multiple Folder Arbitrary Default Script Execution

    Source: CCN
    Type: BID-29939
    Avaya Communication Manager Multiple Security Vulnerabilities

    Source: CCN
    Type: VoIP Security Advisory, 2008-06-25
    SIP Enablement Service Web Interface Server Configuration Information Application Execution

    Source: XF
    Type: UNKNOWN
    avaya-ses-application-info-disclosure(43394)

    Vulnerability Name:

    CVE-2008-6707 (CCN-43395)

    Assigned:2008-06-25
    Published:2008-06-25
    Updated:2008-06-25
    Summary:Avaya SIP Enablement Service (SES) could allow a remote attacker to obtain sensitive information, caused by misconfiguration of the Web administration interface. A remote attacker could exploit this vulnerability to access full system help without authentication.
    CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): Low
    Integrity (I): None
    Availibility (A): None
    CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
    5.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:U/RC:UR)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Authentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
    4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UR)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Athentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    Vulnerability Consequences:Obtain Information
    References:Source: MITRE
    Type: CNA
    CVE-2008-6707

    Source: CCN
    Type: SA30751
    Avaya SIP Enablement Services Multiple Vulnerabilities

    Source: CCN
    Type: ASA-2008-268
    Additional Input Validation Vulnerabilities in Avaya SES SIP Server

    Source: CCN
    Type: Avaya Web site
    Telecommunication Systems by Avaya: Business Telecommunications for your Company

    Source: CCN
    Type: OSVDB ID: 46598
    Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated System Help Access

    Source: CCN
    Type: OSVDB ID: 46599
    Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Default Application Execution

    Source: CCN
    Type: OSVDB ID: 46600
    Avaya SIP Enablement Services (SES) Web Admin Interface Unauthenticated Multiple Folder Arbitrary Default Script Execution

    Source: CCN
    Type: BID-29939
    Avaya Communication Manager Multiple Security Vulnerabilities

    Source: CCN
    Type: VoIP Security Advisory, 2008-06-25
    SIP Enablement Service Web Interface Unrestricted Help Access

    Source: XF
    Type: UNKNOWN
    avaya-ses-help-information-disclosure(43395)

    Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:avaya:communication_manager:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:avaya:communication_manager:3.1.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    avaya sip enablement services 3.0
    avaya sip enablement services 3.1
    avaya sip enablement services 3.1.1
    avaya sip enablement services 4.0
    avaya communication manager 3.1
    avaya communication manager 3.1.1
    avaya communication manager 3.1.2
    avaya communication manager 3.1.3
    avaya communication manager 3.1.4
    avaya communication manager 3.1.4 sp1
    avaya communication manager 3.1.4 sp2
    avaya communication manager 3.1.5
    avaya communication manager 3.1.5 sp0
    avaya communication manager 3.1
    avaya communication manager 4.0
    avaya communication manager 3.1.1
    avaya communication manager 3.1
    avaya communication manager 4.0
    avaya communication manager 3.1.1