Avaya Aura System Manager SQL Injection and Access Control Vulnerabilities (CVE-2024-7477/7480)

Key Information: 1. Vulnerability Description: - CVE-2024-7477: SQL Injection vulnerability allowing command-line interface (CLI) users with administrative privileges to execute arbitrary queries. - CVE-2024-7480: Inappropriate access control vulnerability allowing command-line interface (CLI) users with administrative privileges to read any file on the system. 2. Affected Products: - Avaya Aura System Manager: Versions 10.1.x.x and 10.2.x.x. 3. Remediation: - For versions 10.1.x.x and 10.2.x.x, it is recommended to upgrade to version 10.1.3.3 or higher, and install Avaya Breeze® Element Manager 3.9.0.0.390038 or higher. 4. CVSS Scores: - CVE-2024-7477: CVSSv3 Base Score 6.5 (Medium) - CVE-2024-7480: CVSSv3 Base Score 4.2 (Medium) 5. Disclaimer: - Information is for reference only and not guaranteed for accuracy. - Not applicable to products or versions that are end-of-life. - Avaya is not liable for any damages, including but not limited to direct, indirect, special, or consequential losses. 6. Contact Information: - Customers or partners should report any security issues with Avaya products through standard support channels. - Independent security researchers may contact Avaya’s Security Alert Team. Summary: Avaya Aura System Manager is affected by two medium-risk vulnerabilities: SQL injection and improper access control. Affected versions are 10.1.x.x and 10.2.x.x. Recommended action: Upgrade to version 10.1.3.3 or higher, and install Avaya Breeze® Element Manager 3.9.0.0.390038 or higher. CVSS scores indicate medium severity. Disclaimer emphasizes that information is for reference only, not applicable to end-of-life versions, and Avaya disclaims all liability.

Goal Reached Thanks to every supporter — we hit 100%!

Avaya Aura System Manager SQL Injection and Access Control Vulnerabilities (CVE-2024-7477/7480)